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Preface 



The Annual Conference of the European Association for Computer Science 
Logic, CSL 2001, was held in Paris, Palais de la Mutualite, on September 10-13, 
2001. This was the 15th in a series of annual meetings, originally intended as 
International Workshops on Computer Science Logic, and the 10th to be held as 
the Annual Conference of the EACSL. The conference was organized by Labo- 
ratoire Specification et Verification (CNRS & ENS Cachan). 

The CSL 2001 program committee selected 39 of 91 submitted papers for 
presentation at the conference and publication in this proceedings volume. The 
submitted papers originated from 26 different countries. Each paper was refereed 
by at least three reviewers. 

In addition to the contributed papers, the scientific program of CSL 2001 in- 
cluded three invited talks (Jean-Yves Girard, Peter O’Hearn, and Jan Van den 
Bussche). This volume includes the papers provided by the invited speakers as 
well as the selected contributed papers. The topics of the papers include: linear 
logic, descriptive complexity, semantics, higher-order programs, modal logics, 
verification, automata, A-calculus, induction, equational calculus, and construc- 
tive theory of types. 

I am most grateful to the members of the program committee and all the 
referees for their thorough work. I am also particularly indebted to Frangois 
Laroussinie, helped by Patricia Bouyer, Nicolas Markey, and Philippe Schnoe- 
belen, for the successful organization of this event. Special thanks to Emmanuel 
Fleury for the design of the beautiful “Notre-Dame de Paris” poster. 
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Local Reasoning about Programs 
that Alter Data Structures 



Peter O’Hearn^, John Reynolds^, and Hongseok Yang^ 

^ Queen Mary, University of London 
^ Carnegie Mellon University 

® University of Birmingham and University of Illinois at Urbana-Champaign 



Abstract. We describe an extension of Hoare’s logic for reasoning about 
programs that alter data structures. We consider a low-level storage 
model based on a heap with associated lookup, update, allocation and 
deallocation operations, and unrestricted address arithmetic. The asser- 
tion language is based on a possible worlds model of the logic of bunched 
implications, and includes spatial conjunction and implication connec- 
tives alongside those of classical logic. Heap operations are axiomatized 
using what we call the “small axioms” , each of which mentions only those 
cells accessed by a particular command. Through these and a number of 
examples we show that the formalism supports local reasoning: A speci- 
fication and proof can concentrate on only those cells in memory that a 
program accesses. 

This paper builds on earlier work by Burstall, Reynolds, Ishtiaq and 
O’Hearn on reasoning about data structures. 



1 Introduction 

Pointers have been a persistent trouble area in program proving. The main dif- 
ficulty is not one of finding an in-principle adequate axiomatization of pointer 
operations; rather there is a mismatch between simple intuitions about the way 
that pointer operations work and the complexity of their axiomatic treatments. 
For example, pointer assignment is operationally simple, but when there is alias- 
ing, arising from several pointers to a given cell, then an alteration to that cell 
may affect the values of many syntactically unrelated expressions. (See [20, 2, 4, 
6] for discussion and references to the literature on reasoning about pointers.) 

We suggest that the source of this mismatch is the global view of state 
taken in most formalisms for reasoning about pointers. In contrast, programmers 
reason informally in a local way. Data structure algorithms typically work by 
applying local surgeries that rearrange small parts of a data structure, such as 
rotating a small part of a tree or inserting a node into a list. Informal reasoning 
usually concentrates on the effects of these surgeries, without picturing the entire 
memory of a system. We summarize this local reasoning viewpoint as follows. 

To understand how a program works, it should be possible for reasoning 
and specification to be confined to the cells that the program actually ac- 
cesses. The value of any other cell will automatically remain unchanged. 
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Local reasoning is intimately tied to the complexity of specifications. Often, a 
program works with a circumscribed collection of resources, and it stands to 
reason that a specification should concentrate on just those resources that a 
program accesses. For example, a program that inserts an element into a linked 
list need know only about the cells in that list; there is no need (intuitively) to 
keep track of all other cells in memory when reasoning about the program. 

The central idea of the approach studied in this paper is of a “spatial con- 
junction” P * Q, that asserts that P and Q hold for separate parts of a data 
structure. The conjunction provides a way to compose assertions that refer to 
different areas of memory, while retaining disjointness information for each of 
the conjuncts. The locality that this provides can be seen both on the level of 
atomic heap assignments and the level of compound operations or procedures. 
When an alteration to a single heap cell affects P in P*Q, then we know that it 
will not affect Q; this gives us a way to short-circuit the need to check for poten- 
tial aliases in Q. On a larger scale, a specification {P}C{Q} of a heap surgery 
can be extended using a rule that lets us infer {P * R}C {Q * R} , which expresses 
that additional heap cells remain unaltered. This enables the initial specification 
{P}C{Q} to concentrate on only the cells in the program’s footprint. 

The basic idea of the spatial conjunction is implicit in early work of Burstall 
[3]. It was explicitly described by Reynolds in lectures in the fall of 1999; then an 
intuitionistic logic based on this idea was discovered independently by Reynolds 
[20] and by Ishtiaq and O’Hearn [7] (who also introduced a spatial implication 
P^ Q, based on the logic BI of bunched implications [11, 17]). In addition, Ish- 
tiaq and O’Hearn devised a classical version of the logic that is more expressive 
than the intuitionistic version. In particular, it can express storage deallocation. 

Subsequently, Reynolds extended the classical version by adding pointer 
arithmetic. This extension results in a model that is simpler and more gen- 
eral than our previous models, and opens up the possibility of verifying a wider 
range of low-level programs, including many whose properties are difficult to 
capture using type systems. Meanwhile, O’Hearn fleshed out the theme of local 
reasoning sketched in [7], and he and Yang developed a streamlined presentation 
of the logic based on what we call the “small axioms” . 

In this joint paper we present the pointer arithmetic model and assertion 
language, with the streamlined Hoare logic. We illustrate the formalism using 
programs that work with a space-saving representation of doubly-linked lists, 
and a program that copies a tree. 

Two points are worth stressing before continuing. First, by local we do not 
merely mean compositional reasoning: It is perfectly possible to be compositional 
and global (in the state) at the same time, as was the case in early denotational 
models of imperative languages. Second, some aspects of this work bear a strong 
similarity to semantic models of local state [19, 15, 16, 13, 12]. In particular, the 
conjunction * is related to interpretations of syntactic control of interference [18, 
10, 12], and the Frame Rule described in Section 3 was inspired by the idea of 
the expansion of a command from [19,15]. Nevertheless, local reasoning about 
state is not the same thing as reasoning about local state: We are proposing 
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here that specifications and reasoning themselves be kept confined, and this is 
an issue whether or not we consider programming facilities for hiding state. 

2 The Model and Assertion Language 

The model has two components, the store and the heap. The store is a finite 
partial function mapping from variables to integers. The heap is indexed by a 
subset Locations of the integers, and is accessed using indirect addressing \E] 
where E is an arithmetic expression. 

Ints = {..., —1, 0, 1, ...} Variables = {x, y, ...} 

Atoms, Locations C Ints Locations fl Atoms = {}, nil g Atoms 

Stores = Variables ^fin Ints Heaps = Locations —^fin Ints 

States = Stores x Heaps 

In order for allocation to always succeed, we place a requirement on the set 
Locations: For any positive integer n, there are infinitely many sequences of 
length n of consecutive integers in Locations. This requirement is satisfied if we 
take Locations to be the non-negative integers. (In several example formulae, we 
will implicitly rely on this choice.) Then we could take Atoms to be the negative 
integers, and nil to be —1. 

Integer and boolean expressions are determined by valuations 
G Ints |.B]s G {true, false} 

where the domain of s g Stores includes the free variables of Fl or B. The 
grammars for expressions are as follows. 

E,F,G ::= x,y,...\0 \ l\ E + E \ E X E \ E - E 

B ::= false \ B^B\E = F\ E<E \ isatom?(£l) | isloc?(i?) 

The expressions isatom?(£l) and isloc?(Fl) test whether E is an atom or loca- 
tion. 

The assertions include all of the boolean expressions, the points-to relation 
E ^ F, all of classical logic, and the spatial connectives emp, * and . 

P, Q , R ::= B \ E ^ F Atomic Formulae 

I false \ P Q\ 'ix.P Classical Logic 
I emp \ P *Q \ P^ Q Spatial Connectives 

Various other connectives are defined as usual: -'P = P ^ false; true = 
—■(false); P V Q = {~'P) ^ Q', P /\ Q = ~'{~'P V 3a;. P = — 'Vx. ~>P. 

We use the following notations in the semantics of assertions. 

1. dom{h) denotes the domain of definition of a heap h g Heaps, and dom{s) is 
the domain of s g Stores; 
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2. indicates that the domains of h and h' are disjoint; 

3. h * h' denotes the union of disjoint heaps (i.e., the union of functions with 
disjoint domains); 

4. (/ I z !->• j) is the partial function like / except that i goes to j. This notation 
is used both when i is and is not in the domain of /. 

We define a satisfaction judgement s,h \= P which says that an assertion 
holds for a given store and heap. (This assumes that Free(P) C dom{s), where 
Free(P) is the set of variables occurring freely in P.) 

s,h \= B iff |i?]s = true 

s,h \= E 1 -^ F iff {|if]s} = dom{h) and /i(|if]s) = |F]s 

s,h\= false never 

s,h \= P ^ Q iff if s,h\= P then s,h\= Q 

s,h \= \/x.P iff Vu e Ints. [s \ x v],h \= P 

s, 1= emp iff h = [] is the empty heap 

s,h \= P * Q iff 3ho, hi- hg^hi, ho * hi = h, s,ho \= P and s,hi \= Q 

s,h \= P^ Q iff Vh'. if and s,h' \= P then s,h* h' \= Q 

Notice that the semantics of E F is “exact” , where it is required that E is 
the only active address in the current heap. Using * we can build up descriptions 
of larger heaps. For example, (10 !->■ 3) * (11 !->■ 10) describes two adjacent cells 
whose contents are 3 and 10. 

On the other hand, E = F is completely heap independent (like all boolean 
and integer expressions). As a consequence, a conjunction {E = F) * P is true 
just when E = F holds in the current store and when P holds for the same store 
and some heap contained in the current one. 

It will be convenient to have syntactic sugar for describing adjacent cells, 
and for an exact form of equality. We also have sugar for when E is an active 
address. 

E Fq, Fn = {E I— >■ Fq) * • • • * {E + n I— >■ Fn) 

E = F = (E = F) A emp 

E - = 3y.Ee^y (y ^Free(A)) 

A characteristic property of = is the way it interacts with *: 

{E = F) * P ^ {E = F) A P. 

As an example of adjacency, consider an “offset list”, where the next node in 
a linked list is obtained by adding an offset to the position of the current node. 
Then the formula 



(x a, o) * (x + o b, —o) 
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describes a two-element, circular, offset list that contains a and b in its head 
fields and offsets in its link fields. For example, in a store where x = 17 and 
o = 25, the formula is true of a heap 



17 


a 


42 


b 


18 


25 


43 


-25 



The semantics in this section is a model of (the Boolean version of) the logic 
of bunched implications [11,17]. This means that the model validates all the 
laws of classical logic, commutative monoid laws for emp and *, and the “parallel 
rule” for * and “adjunction rules” for . 

P ^ Q R S 
P * R Q * S 

P*R^ S P=^ R^S Q=^ R 
P i?-* S P * Q ^ S 

Other facts, true in the specific model, include 

((if 1 -^ F) * (E' I— >■ F') * true) E ^ E' emp Vx. -<{x i— > - * true) 

See [21] for a fuller list. 

3 The Core System 

In this section we present the core system, which consists of axioms for commands 
that alter the state as well as a number of inference rules. We will describe the 
meanings for the various commands informally, as each axiom is discussed. 

There is one axiom for each of four atomic commands. We emphasize that 
the right-hand side of := is not an expression occurring in the forms x := [E] 
and X := cons(i?i, ..., if^); [•] and cons do not appear within expressions. Only 
X := E is & traditional assignment, and it is the only atomic command that can 
be described by Hoare’s assignment axiom. In the axioms x, m, n are assumed 
to be distinct variables. 

The Small Axioms 

{E^-} [E] := F{E^ F} 

{E 1 —^ -} dispose(if) {emp} 

{x = m}x := cons(ifi, ..., Ek){x i-A- Ei[m/x ], ..., Ek[m/x] } 

{x = n}x := E{x= (A[n/x])} 

{E 1-^ n A X = m} x := [E] {x = n A E[m/x] i-A- n} 






6 



Peter O’Hearn, John Reynolds, and Hongseok Yang 



The Structural Rules 
Frame Rule 



{p.'filcwU) ri nee(/i) = {) 



Auxiliary Variable Elimination 



{P}C{Q} 

{3x.P}C{3x.Q} 



X ^Free(C') 



Variable Substitution 

\P}C\Q} {xi,...,Xk} 2 Free{P,C,Q), and 

Xi G Modifies (C) implies 

{{P}C{Q})[E,/x,,...,Ek/xk] E, is a variable not free in any other Ej 

Rule of Consequence 



P'^P {P}C{Q} Q^Q' 
{P'}C{Q'} 



The first small axiom just says that if E points to something beforehand (so 
it is active), then it points to F afterwards, and it says this for a small portion of 
the state in which E is the only active cell. This corresponds to the operational 
idea of [E] := F as a command that stores the value of F at address E in 
the heap. The axiom also implicitly says that the command does not alter any 
variables; this is covered by our definition of its Modifies set below. 

The dispose(E) instruction deallocates the cell at address E. In the post- 
condition for the dispose axiom emp is a formula which says that the heap is 
empty (no addresses are active) . So, the axiom states that if E is the sole active 
address and it is disposed, then in the resulting state there will be no active 
addresses. Here, the exact points-to relation is necessary, in order to be able to 
conclude emp on termination. 

The X := cons(Ei, ..., Ek) command allocates a contiguous segment of k cells, 
initialized to the values of Ei, ...,Ek, and places in x the address of the first cell 
from the segment. The precondition of the axiom uses the exact equality, which 
implies that the heap is empty. The axiom says that if we begin with the empty 
heap and a store where x = m, we will obtain k contiguous cells with appropriate 
values. The variable m in this axiom is used to record the value of x before the 
command is executed. 

We only get fixed-length allocation from x := cons(Ei, ..., E^). It is also 
possible to formulate an axiom for a command x := alloc(if) that allocates a 
segment of length E] see [21]. 

We have also included small axioms for the other two commands, but they are 
less important. These commands are not traditionally as problematic, because 
they do not involve heap alteration. 
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The small axioms are so named because each mentions only the area of heap 
accessed by the corresponding command. For [E] := F and x := \E] this is 
one cell, in the axioms for dispose or cons precisely those cells allocated or 
deallocated are mentioned, and in x := E no heap cells are accessed. 

The notion of free variable referred to in the structural rules is the standard 
one. Modifies(C') is the set of variables that are assigned to within C. The Mod- 
ifies set of each of x := cons(ifi, ..., E^), x := E and x := \E] is {x}, while for 
dispose(if) and [E] := F it is empty. Note that the Modifies set only tracks 
potential alterations to the store, and says nothing about the heap cells that 
might be modified. 

In this paper we treat the Rule of Consequence semantically. That is, when 
the premisses P' P and Q ^ Q' are true in the model for arbitrary store/heap 
pairs, we will use the rule without formally proving the premisses. 

The Frame Rule codifies a notion of local behaviour. The idea is that the pre- 
condition in {P}C{Q} specifies an area of storage, as well as a logical property, 
that is sufficient for C to run and (if it terminates) establish postcondition Q. 
If we start execution with a state that has additional heap cells, beyond those 
described by P, then the values of the additional cells will remain unaltered. We 
use * to separate out these additional cells. The invariant assertion R is what 
McCarthy and Hayes called a “frame axiom” [9]. It describes cells that are not 
accessed, and hence not changed, by C. 

As a warming-up example, using the Frame Rule we can prove that assigning 
to the first component of a binary cons cell does not affect the second component. 



{x 1 — >■ a} [x] 


= b{x 1 -^ b} 


{(x 1 — a) * (x -I- 1 1 — c)} [x] 


= b{{x !->■ 6) * (x -1- 1 !->■ c)} 


{x 1 — >■ a, c} [x] 


= 6 {x 1 — >■ 5, c} 



Frame 

Syntactic Sugar 



The overlap of free variables between x + 1 ^ c and [x] := b is allowed here 
because Modifies ([x] := b) = {}. 



4 Derived Laws 

The small axioms are simple but not practical. Rather, they represent a kind 
of thought experiment, an extreme take on the idea that a specification can 
concentrate on just those cells that a program accesses. 

In this section we show how the structural rules can be used to obtain a 
number of more convenient derived laws (most of which were taken as primitive 
in [20,7]). Although we will not explicitly state a completeness result, along 
the way we will observe that weakest preconditions or strongest postconditions 
are derivable for each of the individual commands. This shows a sense in which 
nothing is missing in the core system, and justifies the claim that each small 
axiom gives enough information to understand how its command works. 

We begin with [E] := F. If we consider an arbitrary invariant R then we 
obtain the following derived axiom using the Frame Rule with the small axiom 
as its premise. 
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{{E * R} [E] :=E{{E ^ E) * R} 

This axiom expresses a kind of locality: Assignment to \E] affects the heap cell 
at position E only, and so cannot affect the assertion R. In particular, there is 
no need to generate alias checks within R. With several more steps of Auxiliary 
Variable Elimination we can obtain an axiom that is essentially the one from 
[ 20 ]: 



{3x1, • ■ ■ ,Xn-{E ^ -) * A} [E] := E {3xi, • • • , x„. (A H> F) * R} 
where xi, Xn ^Free(E, E). 

For allocation, suppose x ^ Free{Ei, Ek). Then a simpler version of the 
small axiom is 



{emp}x := cons(Fi, Ek){x Fi, Ffc } 



This can be derived using rules for auxiliary variables and Consequence. If, 
further, R is an assertion where x /Free(i?) then 



jemp} X := cons(Fi, F^) (x i— >■ Fi, ..., F^ } 

{emp * R} X := cons(Fi, F^) |(x i— >■ Fi, F^) * F} 
|F}x := cons(Fi, ..., Ffc) |(x Fi, ..., Ffc) * R} 



Frame 

Consequence 



The conclusion is the strongest postcondition, and a variant involving auxiliary 
variables handles the case when x g Free(F, Fi, ...,Ffc). 

As an example of the use of these laws, recall the assertion (x !->• a, o)*{x+o !->■ 
6, —o) that describes a circular offset-list. Here is a proof outline for a sequence 
of commands that creates such a structure. 



{emp} 

X := cons(a, a) 

{x I— >■ a, a} 
t := cons(6, b) 

{(x !->• a, a) * (t !->• 5, 6)1 
[x -I- 1] '■= t — X 
{(x ^ a,t — x) * {t ^ b, 5)1 
[t -1-1] := X — t 

{(x 1 -^ a,t — x) * {t 1 -^ b, X — t)} 
{3o. {x a, o) * {x + o b, — o)j 



The last step, which is an instance of the Rule of Consequence, uses t — x as 
the witness for o. Notice how the alterations in the last two commands are done 
locally. For example, because of the placement of * we know that x -I- 1 must be 
different from t and t -I- 1, so the assignment [x -I- 1] := t — x cannot affect the 
1 1 -^ b,b conjunct. 

If we wish to reason backwards, then can be used to express weakest 
preconditions. Given an arbitrary postcondition Q, choosing (F i— E)^Q as 
the invariant gives a valid precondition for [F] := F 
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{E^-} [E] :=E{E^ F} 

{{E^-)* {{E ^ F)^ g)} [E] -FiiE^F)* {{E ^ F)^ Q)} 
{{E^-)*{{E^F)^Q)}[E] :=F{Q} 



Frame 

Consequence 



The Consequence step uses an adjunction rule for * and . The precondition 
obtained is in fact the weakest: it expresses the “update as deletion followed by 
extension” idea explained in [7]. The weakest precondition for allocation can also 
be expressed with . 

The weakest precondition for dispose can be computed directly, because the 
Modifies set of dispose(if) is empty. 



{E I— -} dispose(if) {emp} 

{(E !—>-)* i?} dispose(if) {emp * R} 
{{E !—>-)* R} dispose(if) |i?} 



Frame 

Consequence 



The conclusion is (a unary version of) the axiom for dispose from [7]. 

The weakest precondition axiom for x := E is the usual one of Hoare. For 
X := [E] is it similar, using 3 to form a “let binder” (where n ^ Free{E , P, x) . 

{P[E/x]}x := E{P} 

{3n. (true * E ^ n) f\ P[n/x]}x := [E]{P} 

The formal derivations of these laws from the small axioms make heavy use of 
Variable Substitution and Auxiliary Variable Elimination; the details are con- 
tained in Yang’s thesis [24] . 

Another useful derived law for x := \E] is for the case when x /Free(if, R), 
y ^Free(E), and when the precondition is of the form (E y) * R. Then, 



{{E I— >■ y) * i?} X := [E] {{E x) * R[x/y]}. 



5 Beyond the Core 



In the next few sections we give some examples of the formalism at work. In 
these examples we use sequencing, if-then-else, and a construct newvar for 
declaring a local variable. We can extend the core system with their usual Hoare 
logic rules. 



{PAB}C{Q} {PA^B}C'{Q} 
{P} if B then C else C'{Q} 



{FjCilQ} {Q}C2{R} 
{P}C^;C2{R} 



{P}C{Q} 

|P} newvar x. C {Q} 



x /Free(P, Q) 



We will also use simple first-order procedures. The procedure definitions we 
need will have the form 



procedure p{x \, ..., y) 
B 
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where xi,...,Xn are variables not changed in the body B and y is a variable 
that is assigned to. Procedure headers will always contain all of the variables 
occurring freely in a procedure body. Accordingly, we define 

Modifies(p(a;i,...,a;„;j/)) = {y} 

Free{p{xi,...,xn;y)) = {xi, ...,Xn,y}- 

We will need these clauses when applying the structural rules. In the examples 
the calling mechanism can be taken to be either by-name for all the parameters, 
or by- value on the Xi’s and by-reference on y. 

Procedures are used in Section 7 mainly to help structure the presentation, 
but in Section 6 we also use recursive calls. There we appeal to the standard 
partial correctness rule which allows us to use the specification we are trying to 
prove as an assumption when reasoning about the body [5]. 

Our treatment in what follows will not be completely formal. We will continue 
to use the Rule of Consequence in a semantic way, and we will make inductive 
definitions without formally defining their semantics. Also, as is common, we will 
present program specifications annotated with intermediate assertions, rather 
than give step-by-step proofs. 

6 Tree Copy 

In this section we consider a procedure for copying a tree. The purpose of the 
example is to show the Frame Rule in action. 

For our purposes a tree will either be an atom a or a pair (ti,T 2 ) of trees. 
Here is an inductive definition of a predicate tree r i which says when a number 
i represents a tree t. 

tree a i i = a A isatom? (a) A emp 

tree (ri, T 2 ) i 3x, y. {i x,y) * (tree tix * tree T 2 y) 

These two cases are exclusive. For the first to be true i must be an atom, where 
in the second it must be a location. 

The tree r i predicate is “exact” , in the sense that when it is true the current 
heap must have all and only those heap cells used to represent the tree. If t has 
n pairs in it and s,h \= tree ri then the domain of h has size 2n. 

The specification of the CopyTree procedure is 

{treerp} CopyTree(p; q) {(treerp) * (treerg)}. 

and here is the code. 

procedure CopyTree(p; q) 
newvar i,j, i' ,j' . 

{tree rp} 
if isatom?(p) then 

|r = p A isatom? (p) A emp} 
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{(treerp) * (treerp)} 
q:=p 

{(treerp) * (treerg)} 
else 

{ 3 Ti,T 2 ,x,y.T = (ti,T2) * (p cc, ?/) * (tree Ti x) * (treer2i/)} 

i := [p]; j ■- [p+ 1 ]; 

{ 3 ti,T 2 .t = (ri,T2) * (p i,j) * (treeri i) * (treer2 j)} 

CopyTree(i; i'); 

{ 3 ti, T2- t = (ti, T2) * (p e- z, j) * (tree ti i) * (tree T2 j) * (tree ti z')} 

CopyTree(j; j'); 

{ 3 ti, T2- t = (ti , T2) * {p i, j) * (tree ti z) * (tree T2 j) * (tree ri z') 
*(treer 2 /)} 
q ■= cons(z',/) 

{ 3 ti, T2- t a (n, T2) * (p e- z, j) * (tree ti z) * (tree T2 j) * (tree ri i') 
*(treer2j') * (g H> 

{(treerp) * (treerg)} 

Most of the steps are straightforward, but the two recursive calls deserve 
special comment. In proving the body of the procedure we get to use the speci- 
fication of CopyTree as an assumption. But at first sight the specification does 
not appear to be strong enough, since we need to be sure that CopyTree(z; i') 
does not affect the assertions p 1— z,j and treer2j. Similarly, we need that 
CopyTree(j; j') does not affect treeriz'. 

These “does not affect” properties are obtained from two instances of the 
Frame Rule: 

{tree t\ z} CopyTree(z; i') {(tree t\ i) * (tree ti z')} 

{t a (ti,T2) * (p i,j) * (treen z) * (treer2 j)} 

CopyTree(z; z') 

{r A (n,T2) * (p I— >■ i,j) * (treeri *) * ('treeT2 j) * (treeri * 0 } 



and 

{treer2 j|CopyTree(j; /) {(treer2 j) * (treer2j')} 

{r A (ri,r2) * (p 1— i,j) * (treeri *) * (■treer2 j) * (treeri * 0 } 

CopyTree(j;/) 

{r A (ri,r2) * (p 1— i,j) * (treeri *) * (treer2 j) * (treeri *0 * ('t^ss r 2 j')}- 

Then, the required triples for the calls are obtained using Auxiliary Variable 
Elimination to introduce 3 ri,r 2 . (It would also have been possible to strip the 
existential at the beginning of the proof of the else part, and then reintroduce 
it after finishing instead of carrying it through the proof.) 

This section illustrates two main points. First, if one does not have some 
way of representing or inferring frame axioms, then the proofs of even simple 
programs with procedure calls will not go through. In particular, for recursive 
programs attention to framing is essential if one is to obtain strong enough 
induction hypotheses. The CopyTree procedure could not be verified without the 
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Frame Rule, unless we were to complicate the initial specification by including 
some explicit representation of frame axioms. 

Second, the specification of CopyTree illustrates the idea of a specification 
that concentrates only on those cells that a program accesses. And of course 
these two points are linked; we need some way to infer frame axioms, or else 
such a specification would be too weak. 

7 Difference-Linked Lists 

The purpose of this section is to illustrate the treatment of address arithmetic, 
and also disposal. We do this by considering a space-saving representation of 
doubly-linked lists. 

Conventionally, a node in a doubly-linked list contains a data field, together 
with a field storing a pointer n to the next node and another storing a pointer p 
to the previous node. In the difference representation we store n — p in a single 
field rather than have separate fields for n and p. In a conventional doubly-linked 
list it is possible to move either forwards or backwards from a given node. In 
a difference-linked list given the current node c we can lookup the difference 
d = n — p between next and previous pointers. This difference does not, by itself, 
give us enough information to determine either n or p. However, if we also know 
p we can calculate n as d + p, and similarly given n we can obtain p as n — d. 
So, using the difference representation, it is possible to traverse the list in either 
direction as long as we keep track of the previous or next node as we go along. 

A similar, more time-efficient, representation is sometimes given using the 
xor of pointers rather than their difference. 

We now give a definition of a predicate dl. If we were working with conven- 
tional doubly-linked lists then dl oi • • • a„ (t, i' would correspond to 

* f 



1 




Typically, a doubly-linked list with front i and back j' would satisfy the predicate 
dl a (t, nil, nil, j'). The reason for the internal nodes i' and j is to allow us to 
consider partial lists, not terminated by nil. 

A definition of dl for conventional doubly-linked lists was given in [20]. The 
main alteration we must make is to use 
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a 



n-p 



instead of 



a 



n 



P 



to represent a node. 

Here is the definition. 

dl e (i, i',j, f) emp A i = j A i' = f 

dl aa {i, i', k, k') <1=^ 3j.(z i-A a,j — i') * dl a (j, i, k, k') 



We are using juxtaposition to represent the consing of an element a onto the 
front of a sequence a, and e to represent the empty sequence. As a small example, 
dl ab (5, 1, 3, 8) is true of 



5 


a 


8 


b 


6 


8-1 


9 


3-5 



It is instructive to look at how this definition works for a sequence consisting 
of a single element, a. For dla{i,i' ,j,j') to hold we must have 3a;. (z i-A a, x — 
i') * dl e (a;, z, j, f) ; we can pick x to be j, as suggested by the i = j part of the 
case for e. We are still left, however, with the requirement that z = j' , and this 
in fact leads us to the characterization i i-A a, j — i' A i = j' of dl a (z, z', j, f). 

Thus, a single-lement list exemplifies how the e case is arranged to be compat- 
ible with the operation of consing an element onto the front of a sequence. The 
roles of the i = j and i' = f requirements are essentially reversed for the dual 
operation, of adding a single element onto the end of a sequence. This operation 
is characterized as follows. 

dl aa (z, z', k, k') 3j'. dl a (z, z', k' , j') * k' i-A a, k — j' 

In the examples to come we will also use the following properties. 

f yf nil A dl a (z, nil, j, j') 3/3, a,k.a = /3a* 

dl/3(z,z',j',fc) * f ^ a,j - k 

dl a (z, i',j, nil) ^ emp A a = e A i' = nil A i = j 
dl a (nil, z', J, j') emp A a = e A j = nil A z' = f 

Doubly-linked lists are often used to implement queues, because they make 
it easy to work at either end. We axiomatize an enqueue operation. 
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Rather than give the code all at once, it will be helpful to use a procedure 
to encapsulate the operation of setting a right pointer. Suppose we are in the 
position of having a pointer j' , whose difference field represents pointing on the 
right to, say, j. We want to swing the right pointer so that it points to k instead. 
The specification of the procedure is 

{dl a {i, nil, j, j')} setrptr(j, f , k; i){dl a {i, nil, k,j')}. 

Notice that this specification handles the a = e case, when j' does not point to 
an active cell. 

Postponing the definition and proof of setrptr for a moment, we can use it 
to verify a code fragment for putting an value a on the end of a queue. 

{dl a {front, nil, nil, back)} 
t := back; 

{dl a {front, nil, nil, t)} 
back := cons(a, nil — t); 

{dl a {front, nil, nil, t) * back i— a, nil — t} 
setrptr(nil, t, back; front) 

{dl a {front,TL±l,back,t) * back a, nil — t} 

{dl aa {front, nil, nil, back)} 

The code creates a new node containing the value a and the difference nil — t. 
Then, the procedure call setrptr(nil, t, &acfc; /ront) swings the right pointer 
associated with t so that the next node becomes back. In the assertions, the effect 
of back := cons(a, nil— t) is axiomatized by tacking *{back i— >■ a,nil — t) onto its 
precondition. This sets us up for the call to setrptr; because of the placement 
of * we know that the call will not affect {back i— >■ a, nil — t). More precisely, 
the triple for the call is obtained using Variable Substitution to instantiate the 
specification, and the Frame Rule with {back i— a, nil — t) as the invariant. 
Finally, here is an implementation of setrptr(j, j', A:; i). 

{dla(i,nil, 
if j' = nil then 
{a = e A emp A f = nil} 
i := k 

{a = e A emp A j' = nil /\ i = k} 
else 

[3a',h,p. {a = a'b) * dla' {i,nll,j',p) * {f b,j -p)} 
newvar d. d := [j' + 1]; [j' + 1] := k + d — j 
{3a', b,p. {a = a'b) * dl a' {i, nil, j',p) * {j' ^ b,k — p)| 

{dla(i,nil,A:, j')} 

The tricky part in the verification is the else branch of the conditional, where 
the code has to update the difference field of j' appropriately so that k becomes 
the next node of f . It updates the field by adding k and subtracting j; since 
the field initially stores j — p, where p is the address of the previous node, such 
calculation results in the value k — p. 
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The use of the temporary variable d in the else branch is a minor irritation. 
We could more simply write [j' + 1 ] := k+[j' + V\— j if we were to allow nesting 
of [•]. An unresolved question is whether, in our formalism, such nesting could 
be dealt with in a way simpler than compiling it out using temporary variables. 

Now we sketch a similar development for code that implements a dequeue 
operation. In this case, we use a procedure setlptr(i, t', /c; j'), which is similar 
to setrptr except that it swings a pointer to the left instead of to the right. 

{dl a {i, i', nil, /)} setlptr(i, i' , k; j') {dl a (i, fc, nil, j')} 

The dequeue operation removes the first element of a queue and places its 
data in x. 

{dl aa {front, nil, nil, back)} 

|3n'. front ^ a,n' — nil * dl a (n', front, nil, back)} 

X := [front]; d := [front + 1 ]; n := d + nil; 

{x = a * front ^ a, n — nil * dl a (n, front, nil, back)} 
dispose(/ront); dispose(/ront + 1); 

{x = a * dl a {n, front, nil, back)} 
setlptr(n, front, nil; back) 

(x = a * dl a {n, nil, nil, back)} 

This code stores the data of the first node in the variable x and obtains the 
next pointer n using arithmetic with the difference field. The placement of * 
sets us up for disposing front and front + 1 : The precondition to these two 
commands is equivalent to an assertion of the form {front i— >■ a) * {front + 1 i— >■ 
n' — nil) * R, which is compatible with what is given by two applications of 
the weakest precondition rule for dispose. After the disposals have been done, 
the procedure call setlptr(n, /ront, nil; &acfc) resets the difference field of the 
node n so that its previous node becomes nil. 

The code for setlptr(f, t', fc; j') is as follows. 

{dla(i,'i',nil, j')} 
if i = nil then 
(a = e A emp A i = nil} 

/ := k 

(a = e A emp A i = nil A k = f} 
else 

|3q;', a, n. {a = aa') * dl a' {n, i, nil, f) * {i ^ a,n — i')} 

[i + 1] := [f + 1] + f' - fc 

{3a', a, n. {a = aa') * dl a' {n, i, nil, f) * {i i-A a,n — k)} 

{dl a {i,k, nil, j')} 

8 Memory Faults and Tight Specifications 

In this paper we will not include a semantics of commands or precise interpreta- 
tion of triples, but in this section we give an informal discussion of the semantic 
properties of triples that the axiom system relies on. 
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Usually, the specification form {P}C{Q} is interpreted “loosely”, in the sense 
that C might cause state changes not described by the pre and postcondition. 
This leads to the need for explicit frame axioms. An old idea is to instead con- 
sider a “tight” interpretation of {P}C{Q}, which should guarantee that C only 
alters those resources mentioned in P and Q; unfortunately, a precise defini- 
tion of the meaning of tight specifications has proven elusive [1]. However, the 
description of local reasoning from the Introduction, where a specification and 
proof concentrate on a circumscribed area of memory, requires something like 
tightness. The need for a tight interpretation is also clear from the small axioms, 
or the specifications of setlptr, setrptr and CopyTree. 

To begin, the model here calls for a notion of memory fault. This can be 
pictured by imagining that there is an “access bit” associated with each location, 
which is on iff the location is in the domain of the heap. Any attempt to read 
or write a location whose access bit is off causes a memory fault, so if E is not 
an active address then [E] := E' or x := [E] results in a fault. A simple way 
to interpret dispose(A) is so that it faults if E is not an active address, and 
otherwise turns the access bit off. 

Then, a specification {P}C{Q} holds iff, whenever C is run in a state satisfy- 
ing P: (i) it does not generate a fault; and (ii) if it terminates then the final state 
satisfies Q. (This is a partial correctness interpretation; the total correctness vari- 
ant alters (ii) by requiring that there are no infinite reductions.) For example, 
according to the fault-avoiding interpretation, {17 >->■ -} [17] := 4(17 >->■ 4} holds 
but {true} [17] := 4 {17 >->■ 4} does not. The latter triple fails because the empty 
heap satisfies true but [17] := 4 generates a memory fault when executed in the 
empty heap. 

In the logic, faults are precluded by the assumptions P i— >■ - and P i— n in 
the preconditions of the small axioms for [P] := P', x := [P] and dispose(P). 

The main point of this section is that this fault-avoiding interpretation of 
{P}C{Q} gives us a precise formulation of the intuitive notion of tightness. (We 
emphasize that this requires faults, or a notion of enabled action, and we do not 
claim that it constitutes a general analysis of the notion of tight specification.) 

The avoidance of memory faults in specifications ensures that a well- 
specified program can only dereference (or dispose) those heap cells guar- 
anteed to exist by the precondition, or those which are allocated during 
execution. 

Concretely, if one executes a program proved to satisfy {P}C{Q}, starting in a 
state satisfying P, then memory access bits are unnecessary. A consequence is 
that it is not necessary to explicitly describe all the heap cells that don’t change, 
because those not mentioned automatically stay the same. 

Fault avoidance in {P}C{Q} ensures that if C is run in a state strictly 
larger than one satisfying P, then any additional cells must stay unchanged; 
an attempt to write any of the additional cells would falsify the specification, 
because it would generate a fault when applied to a smaller heap satisfying P. 
For example, if {17 ^ -}C {17 >->■ 4} holds then {(17 >->■-)* (19 3)} C {(17 >->■ 

4) * (19 I— 3)1 should as well, as mandated by the Frame Rule, because any 
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attempt to dereference address 19 would falsify {17 i— >■ -} C (17 e- 4} if we give 
C a state where the access bit for 19 is turned off. (This last step is delicate, 
in that one could entertain operations, such as to test whether an access bit is 
on, which contradict it; what is generally needed for it is a notion which can be 
detected in the logic but not the programming language.) 



9 Conclusion 

We began the paper by suggesting that the main challenge facing verification 
formalisms for pointer programs is to capture the informal local reasoning used 
by programmers, or in textbook-style arguments about data structures. Part 
of the difficulty is that pointers exacerbate the frame problem [9, 1]. (It is only 
part of the difficulty because the frame problem does not, by itself, say anything 
about aliasing.) For imperative programs the problem is to find a way, preferably 
succinct and intuitive, to describe or imply the frame axioms, which say what 
memory cells are not altered by a program or procedure. Standard methods, such 
as listing the variables that might be modified, do not work easily for pointer 
programs, because there are often many cells not directly named by variables in 
a program or program fragment. These cells might be accessed by a program by 
following pointer chains in memory, or they might not be accessed even when 
they are reachable. 

The approach taken here is based on two ideas. The first, described in Section 
8, to use a fault-avoiding interpretation of triples to ensure that additional cells, 
active but not described by a precondition, are not altered during execution. 
The second is to use the * connective to infer invariant properties implied by 
these tight specifications. 

The frame problem for programs is perhaps more approachable than the gen- 
eral frame problem. Programs come with a clear operational semantics, and one 
can appeal to concrete notions such as a program’s footprint. But the methods 
here also appear to be more generally applicable. It would be interesting to give 
a precise comparison with ideas from the AI literature [22] , as well as with vari- 
ations on Modifies clauses [1,8]. We hope to report further on these matters - 
in particular on the ideas outlined in Section 8 - in the future. (Several relevant 
developments can be found in Yang’s thesis [24].) 

There are several immediate directions for further work. First, the interaction 
between local and global reasoning is in general difficult, and we do not mean to 
imply that things always go as smoothly as in the example programs we chose. 
They fit our formalism nicely because their data structures break naturally into 
disjoint parts, and data structures that use more sharing are more difficult to 
handle. This includes tree representations that allow sharing of subtrees, and 
graph structures. Yang has treated a nontrivial example, the Shorr- Waite graph 
marking algorithm, using the spatial implication is used to deal with the 
sharing found there [23]. More experience is needed in this direction. Again, the 
challenging problem is not to find a system that is adequate in principle, but 
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rather is to find rules or reasoning idioms that cover common cases simply and 
naturally. 

Second, the reasoning done in examples in this paper is only semi-formal, be- 
cause we have worked semantically when applying the Rule of Consequence. We 
know of enough axioms to support a number of examples, but a comprehensive 
study of the proof theory of the assertion language is needed. Pym has worked 
out a proof theory of the underlying logic BI [17] that we can draw on. But here 
we use a specific model of BI and thus require an analysis of properties special 
to that model. Also needed is a thorough treatment of recursive definitions of 
predicates. 

Finally, the examples involving address arithmetic with difference- linked lists 
are simplistic. It would be interesting to try to verify more substantial programs 
that rely essentially on address arithmetic, such as memory allocators or garbage 
collectors. 
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Abstract. Many ideas of Alfred Tarski - one of the founders of modern 
logic - find application in database theory. We survey some of them with 
no attempt at comprehensiveness. Topics discussed include the gener- 
icity of database queries; the relational algebra, the Tarskian definition 
of truth for the relational calculus, and cylindric algebras; relation al- 
gebras and computationally complete query languages; real polynomial 
constraint databases; and geometrical query languages. 
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1 Introduction 

Alfred Tarski was one of the founders of modern logic, and a philosopher and 
mathematician of extraordinary breadth and depth. It is therefore not surpris- 
ing that many of his ideas find application also in database theory, a field of 

* I thank Janos Makowsky for having proposed me to write and present this paper. I 
owe a lot to Dirk Van Gucht, database theorist and Tarski fan, for having taught me 
so much during the past ten years, about database theory as well as about Tarski. 
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theoretical computer science where logic plays an important role. In this year 
of Tarski’s hundredth anniversary, it seems desirable to survey some of these 
applications. We will not attempt to be comprehensive, however. 

2 Relational Database Queries and Logical Notions 

To begin our discussion, we fix some infinite universe U of atomic data elements. 
In a set-theoretic formalization they would play the role of “urelemente” . 

In the relational approach to database management, introduced by Codd 
[19], we define a database schema 5 as a finite set of relation names, each with 
an associated arity. A relational database D with schema S then assigns to each 
R G S a finite n-ary relation C U", where n is the arity of R. 

We store information in a database so that we can retrieve it later. The answer 
of a query to a relational database is again a relation: this is very convenient as it 
allows us to compose queries, or to store answers of queries as additional relations 
in the database. The answers ‘yes’ or ‘no’ are represented by the nonempty and 
the empty relation of arity 0, respectively. For example, let S = {i?} where the 
arity of i? is 2. So, databases over S can be identified with finite binary relations 
on U. Some examples of queries we might want to ask such databases are: 

1. Is there an identical pair in R1 (Answer: nullary relation.) 

2. What are the elements occurring in the left column of R, but not in the right 
one? (Answer: unary relation.) 

3. What are the 5-tuples (xi, X2, X3, X4, X5) such that (xi, X2), (x2, X3), (X3, X4), 
and (x 4 ,xs) are all in R1 (Answer: five-ary relation.) 

4. What is the transitive closure of R1 (Answer: binary relation.) 

5. Which pairs of elements (xi,X 2 ) are such that the sets {y \ (xi,y) G R} and 
{y I {x 2 ,y) G R} are nonempty and have the same cardinality? (Answer: 
binary relation.) 

6. Is the cardinality of i? a prime number? (Answer: nullary relation.) 

At the most general level, we could formally define an n-ary query on S as 
a function q from databases D with schema S to finite relations (?(D) C U". 
However, this definition is much too liberal. To illustrate this, let us take the 
same example schema S as above, and a, b and c three different elements of U. 
Now consider the database Dq where R^° = {(a, b), {a, c)}, and a unary query 
qo on S that maps Dq to the singleton {b}. This query does not seem “logical:” 
given the information provided by Dq, there is no reason to favor b above c, as 
b and c are completely symmetric in Dq. Note that none of the example queries 
given above has this “unlogical” nature: each of them can be answered purely 
on the basis of the information present in the database, and this is how it should 
be. 

How can we formalize this intuitive notion of a “logical” query? Tarski has 
shown us how [60]. Consider the following cumulative hierarchy of universes Ug, 
Ui, U 2 , and so on, and their union U*: 

Uq:=U, U„+i :=UUP(U„), U*:=|JU„ 
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Here V denotes the powerset operation. Most mathematical objects we want to 
construct on top of U can be formalized as elements of U* . For example, by the 
ordered pair construction {x,y) := {{x}, {x, j/}}, ordered pairs of elements of 
U live in U2, and thus binary relations on U live in U3. Database queries also 
live in U*. For example, a unary query on binary relations, being itself a binary 
relation from binary relations to unary relations, lives in Ug. More generally, any 
notion involving objects living in U*, such as a property of such objects, or a 
relation among such objects, can itself be formalized as an object living in U*. 

Tarski now calls such a notion logical if it is left invariant by all possible 
permutations of U. So, P G V* is logical if f{P) = P for every permutation / 
of U, where permutations of U are extended to U* in the canonical manner. For 
example, no singleton {a} with a G U is logical: there is no purely logical reason 
to single out any particular atomic data element. The whole set U is logical, and 
so is the empty set. The identity relation {(x,x) | x G U} is logical, and so is 
the diversity relation {{x,y) | x,j/ G U, x yf y}. The higher we go up in the 
cumulative hierarchy, the more complex logical notions we find. In particular, 
queries may or may not be logical. For example, the “unlogical” query qq from 
above is indeed not logical in the sense of Tarski. For if it were, it would have to 
be invariant under the transposition t = (h c) and thus would have to contain 
not only the pair (Dq, {b}) but also the pair (t(Do), {t(6)}) = (Dq, {c}), which is 
impossible as go is function. On the other hand, all the earlier example queries 
1-6 are readily seen to be logical. 

Unaware of this^, Chandra and Harel [16], and independently Aho and Ull- 
man [6], based on practical considerations, pointed out the following “univer- 
sality property” (as A&U called it), or “consistency criterion” (as C&H called 
it) for database queries. It is now generally known as the genericity of database 
queries^, and says that for any query g, databases Di and D2, and permutation 
/ of U, if /(Di) = D2, then also /(g(Di)) = g(D2). Clearly, a query is generic 
in this sense if and only if it is logical. So, interestingly, Tarski’s definition of 
logical notion somehow inevitably turned out to hold for database queries. 

We note that Tarski saw his definition in the context of Klein’s Erlanger Pro- 
gramm [66] in which different geometries are identified with the groups of trans- 
formations under which the fundamental notions of the geometry in question 
are left invariant. For example, topology could be defined as the geometry whose 
notions are left invariant by continuous transformations (homeomorphisms) . Ac- 
cording to Tarski then, logic is the “geometry” whose notions are left invariant 
by all transformations. 

3 The Relational Algebra and First-Order Queries 

A fundamental insight of Codd was that many complex operations performed on 
data files can be expressed as combinations of five basic operators on relations: 

^ The paper cited [60] was only published in 1986, but is based on a talk delivered by 
Tarski twenty years earlier. 

^ The specific term ‘genericity’ was first used for this purpose by Hull and Yap [36] 
and caught on. 
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1. union of two relations of the same arity; 

2. difference between two relations of the same arity; 

3. cartesian product: if r is of arity n and s is of arity m, then r x s equals 

{{xi, I {xi , . . . ,x„) € r and {yi, ...,ym)& s}; 

4. projection: if a; = (xi, . . . , x„) is an n-tuple and ii, . . . ,ip G n}, 

then TTi^^,,,^i^{x) equals {xi^, . . . ,Xi^); if r is an n-ary relation then 

equals {iTij^^,,,^i^{x) | S G r}; 

5. selection: if r is of arity n and i,j G {1, . . . , n}, then Ui=j{r) equals {{x \, . . . , 

Xn) & r \ Xi = Xj}. 

A query on a schema S is said to be expressible in the relational algebra 
if it can be defined by an expression built from the relation names of S using 
the above five operators. For example, example query no. 2 from the previ- 
ous section is easily expressed as 7Ti(i?) — 7T2(i?), and example query no. 3 as 
'^1.2,4,6,80'2=3'74=50’6=7(-R X R X R X R). 

A classical theorem of Codd [20] identifies the queries expressible in the re- 
lational algebra with the first-order queries. An n-ary query g on 5 is called 
first-order if there is a first-order formula (p{xi, . . . ,Xn) over the relational vo- 
cabulary S, such that for every database D, 

q(D) = {(oi, . . . , a„) G |D|” I D ]= ip[ai , . . . , a„]}. 

Here, |D| denotes the active domain of D, consisting of all elements of U actually 
occurring in one of the relations of D. In evaluating D |= ip[ai , . . . , a„], we view 
D as an 5-structure (in the sense of model theory) with (finite) domain |D|. 
Codd referred to first-order logic used to express queries in this way as the 
relational calculus. 

Tarski being one of the founders of modern logic, it is not surprising that the 
first-order queries owe a lot to him. We mention just two things: 

1. The now-standard definition of satisfaction of a formula in a structure was 
originally conceived by Tarski [55]. Thanks to Codd, every student of com- 
puter science gets in touch with the syntax and the Tarskian semantics of 
first-order logic, in the form of the relational calculus seen in the databases 
course. 

2. In view of the previous section, we should also ask ourselves whether first- 
order queries actually satisfy the genericity criterion, or, equivalently, are 
they logical in the sense of Tarski? They sure are: in fact, already in 1936 
Tarski and Lindenbaum [44] noted that not just first-order, but full typed 
higher-order logic can define only logical notions. Nowadays this sounds like 
a tautology, but back in the days when modern logic was still in the process 
of being defined, this was a fundamental observation. 

In connection with Codd’s theorem two more of Tarski’s ideas find an applica- 
tion in database theory. We discuss them separately in the following subsections. 
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3.1 Relational Completeness 

Codd thought of his theorem as a completeness result for the relational algebra: 
the class of first-order queries was the reference level of expressiveness query 
languages should aim for. Codd called a query language relationally complete 
if it could express all first-order queries. Later, people started to realize that a 
lot of interesting queries are not first-order [6,16,17]. For example, of the list 
of example queries given in the previous section, queries no. 4, 5 and 6 are not 
first-order. 

So, relational completeness is not everything. However, there still is a sense 
in which the relational algebra (or equivalently, first-order logic) can be consid- 
ered a “complete” database query language, as was independently discovered by 
Bancilhon [8] and Paredaens [47]. They showed that for any database D, and any 
relation r C |D|" such that every automorphism of D is also an automorphism 
of r, there exists a first-order query q such that q(D) = r. Here, an automor- 
phism of D (r) is a permutation / of U such that /(D) = D (/(r) = r). Note 
that the conditions of the theorem are necessary: for any generic n-ary query q, 
9(D) C |D|” and has at least the automorphisms of D. 

This “BP-completeness” of first-order logic, as it came to be called, actu- 
ally follows from an early model-theoretic insight of Tarski, and another early 
model-theoretic theorem known as Beth’s theorem. When he introduced the no- 
tion of elementary equivalence of structures [53,54], Tarski noted that two finite 
structures are elementary equivalent only if they are isomorphic. Actually, given 
a finite structure D one can always write a single first-order sentence that is 
satisfied by any structure D' if and only if D' is isomorphic to D. 

Now let D, over S, and r be as in the BP-completeness theorem. Let S' be the 
expansion of S with an extra n-ary relation name R, and let D' be the expansion 
of D to S' by putting := r. As D' is a finite structure, we can, by the above, 
write a first-order sentence <~p such that any database B over S' satisfies iff B 
is isomorphic to D'. Take any two Bi and B 2 with Bi ^ 1 ^ and B 2 ]= p'-, so 
there are permutations /i and fi of U so that /i(Bi) = D' and / 2 (B 2 ) = D'. 
But then / 2 //^ is an automorphism of D and hence, by assumption, also of r. 
So, / 2 /r^(r) = r, whence = /f ^(r) = 

We thus observe that ip implicitly defines R in terms of S. By Beth’s theorem, 
there is a first-order formula over S such that in any model of ip the 

equivalence \/x{R{x) O fj) holds. This holds in particular in D' itself, by which 
we conclude that /'(D) = r. 

We have thus easily derived the BP-completeness of first-order logic from 
some of the earliest model-theoretic results that were established. Still we rec- 
ommend Paredaens’s direct proof, which uses the relational algebra and is very 
elegant^. 



® Recently, Cohen, Gyssens and Jeavons [21] showed that even the relational algebra 
without the union and difference operators, but with nonequality selections is 

already BP-complete, on condition the active domain is directly available as one of 
the relations (or a projection of them), and has at least 3 elements. 
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3.2 Cylindric Set Algebras 

Take a first-order formula (p, and let the different variables occurring in it, free 
or bound, be Xi, ... , a:„. When we follow the Tarskian semantics of (p on a 
structure A and determine inductively for every subformula ip the set of 
n-tuples (ai, . . . ,a„) G A” under which is true in A, we notice that at every 
inductive step we perform one of the following three operations on these n-ary 
relations: 

1. union, to evaluate V; 

2. complementation with respect to A", to evaluate and 

3. cylindrification along dimension i, to evaluate 3xi. 

By the cylindrification along dimension f of a relation r C A", with z G {1, . . . , n}, 
we mean the operation 

lt{r) := {(oi, . . . ,a„) G A” I 3a G A : (oi, . . . , ai_i, a, Oj+i, . . . , o„) G r}. 

These three operations, together with the constant relations Sij = {(oi, . . . , 
a„) G A" \ Ui = a j}, called the diagonals and needed to evaluate equality atoms 
Xi = Xj, constitute the full n-dimensional cylindric set algebra with base A. 
Cylindric set algebras are canonical examples of the general class of abstract 
cylindric algebras, which has an equational definition in the usual style abstract 
algebraic structures are defined. Cylindric algebras are the same to first-order 
logic as Boolean algebras are to propositional logic, and they were introduced 
by Tarski and his collaborators [31,32,33,34]. 

We thus see that a relational algebra in much the same spirit as Codd’s 
was already considered by Tarski"'. Concretely, let 5 be a schema, and take n 
strictly larger than the arity of every relation name in S. We can build up n-CSA 
expressions over S from the relation names in S and the constants 8ij using the 
operators ci U C2, “le, and 7i(e). When evaluating an rz-CSA expression e on a 
database D with schema S, the operators and constants are interpreted as in 
the full n-dimensional cylindric set algebra with base |D|. Each relation name 
R is interpreted as the n-ary relation R^ x |D|”“"*, if the arity of R is to. We 
then have: 

Theorem 1. An n-ary query is expressible in n-CSA in the sense just defined, 
if and only if it is expressible by a first-order formula using at most n different 
variables. 

Proof. Let the n variables be a;i, ... , x„. The only thing we have to show is that 
atomic first-order formulas of the form i?(. . . ) can be expressed in n-CSA. Only 
for formulas of the form R{x\, . . . ,Xm) this is immediate by the expression R. 
The following example will suffice to explain the argument. Let n = 3, m = 2, 
and consider the formula R{x 2 ,xfi). Note that the expression R expresses the 

Imielinski and Lipski [37] were the first to point out the connection between Codd’s 
relational algebra and cylindric set algebras. 
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formula R{xi,X 2 )- We first copy the second column of R into its third column 
(which is “free:” recall that R stands for R^ x |D|). Then we cylindrify the 
second column, after which we copy the first column to the now free second 
column. We finally cylindrify the first column. Formally, the following n-CSA 
expression expresses R{x 2 ,x^)\ 

n <52,3) fd ^1,2) 

In general, the existence of a “free column” guarantees us the room to per- 
form the necessary transpositions on the columns to go from R(x\, . . . ,Xm) to 
R{xp(i), . . . , Xp(rn)) for an arbitrary permutation p of {1, . . . , n}. 

The trick used in the above proof is again an idea of Tarski [59]: he used it 
to give a substitution-free axiom system for first-order logic. Note how crucial it 
is in this respect that n is strictly larger than the arity of each relation name. 
Without this condition, the theorem does not seem to hold, although we have 
not proven this formally. The idea is that, with R binary for example, there are 
only a finite number of non-equivalent 2-CSA expressions over the schema {i?}. 
However, there are infinitely many non-equivalent formulas with 2 variables over 
this schema. 

The above theorem gives us a relational algebra for n-variable first-order 
logic. Bounded-variable fragments of first-order and infinitary logic were vigor- 
ously investigated in finite-model theory over the last decade [25,46] , for a large 
part motivated by database theory, in particular the seminal paper by Abiteboul 
and Vianu [5]. (Another major motivation is descriptive complexity [38].) 

4 Relation Algebras 

In parallel with his work on cylindric algebras, Tarski also promoted relation 
algebras [18,51,61]. Like cylindric algebras, these are again a generalization of 
Boolean algebras, but in another direction. They have again an abstract equa- 
tional definition, but we will only be concerned here with the operations of the 
proper relation algebra with base A, where A is a set of atomic data elements. 
These operations are defined on binary relations over A only and comprise the 
following: 

1. union] 

2. complementation with respect to 

3. composition: r Q s := {{x,y) \3z : {x, z) € r and (z, y) € s}; 

4. conversion: f := {{x,y) \ (y,x) G r}. 

For the remainder of this section, we fix a database schema S with all relation 
names binary. This is not a heavy restriction: an n-ary relation can easily and 
naturally be represented by n binary relations, and, as advocates of the Decom- 
posed Storage Model argue quite convincingly [22,41], it can even be beneficial 
to do so from a systems engineering point of view. 
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Again we can build expressions starting from the relation names in S, and the 
constant Id, using the four operators above. We will call these R A- expressions. 
On a database D with schema S, an RA-expression e can be evaluated by in- 
terpreting the relation names as given by D, interpreting the constant Id as the 
identity relation on |D|, and interpreting the operations relative to base set |D|. 
The result is a binary relation e(D). So, RA-expressions always express binary 
queries. 

Queries expressible in RA are clearly first-order, and actually a substantial 
number of first-order queries are expressible in RA. For example: 

1. Recalling example query no. 2 from Section 2, 

{IdnRQ {Id U -iW)) - {Id n {Id U -i/d) © R) 

expresses {{x,x) \ 3y R{x,y) A -•Bz R{z,x)}. 

2. Recalling example query no. 3, ROROROR expresses {(a;i, X 5 ) | 3x2, xz, x^ 
{R{xi,X2) a R{x2,xz) a R{xz,xa) a R{xi,xz)}. 

3. i? 0 {->Id C\RQ R) expresses {{x, y) \ R{x, y) A3z ^ y : R{x, z)}. 

Note that the above three example RA queries can actually already be ex- 
pressed with a first-order formula using only 3 distinct variables. Indeed, in the 
first formula we could have reused the bound variable y instead of introducing 
a new bound variable 2 . The second query can be equivalently expressed as 

{{x, y) I 3z(3y{3z{R{x, z) A R{z, y)) A R{y, z)) A R{z, y)^ } 

using just 3 variables. This is no coincidence; it is readily verified that any RA 
query is in FO^ (first-order queries expressible using only 3 variables) . Tarski and 
Givant [61] showed the converse: a binary query on binary relations is expressible 
in RA precisely when it is in FO^. 

4.1 From RA to FO by Pairing 

So, RA seems rather limited in expressive power. However, Tarski and Givant 
showed also that in the presence of a “pairing axiom,” RA becomes equally 
powerful as full first-order logic. We give a nice concretization of this general 
idea, due to Gyssens, Saxton and Van Gucht [28]. 

Gonsider the following two “pairing” operations on a binary relation r on 
some base set A: 

- left tagging: := {{x,{x,y)) | {x,y) G r}; 

- right tagging: r"^ := {{{x,y),y) \ {x,y) G r}. 

Note that the resulting relations are not on A anymore, but on AVJ A^ . This 
suggests to build up a universe U+ on top of U, similar to the universe U* we 
considered in Section 2: 

Uo+:=U, U++1 := U+ U (U+)2, U+:=|JU+. 
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Left tagging and right tagging can now be naturally viewed as operations on 
binary relations on U“'". 

Our objective, of course, is to add the pairing operations to RA. A problem 
with this, however, is that when we want to evaluate an expression containing 
these operations on a database D, it no longer makes sense to perform the 
complementation operation with respect to |D|, as we are really working in 
|D| + . We cannot complement with respect to the full U’*' either, as this could 
yield infinite relations, and we have been working with finite databases from the 
outset. A simple way out is to redefine complementation relative to the active 
domain of a relation. So, for any binary relation r, we define 

-.r := {{x,y) G |rp | {x,y) ^ r}, 

where |r| = {x \3y \ {x,y) G r or {y,x) G r}. A second modification we make 
to RA is that we throw away Id, since we don’t need it anymore: for example, 
Rn Id is expressible as U 0 i?'". 

We denote RA, modified as just described, and enriched with the pairing 
operations, by RA+. Evaluating an RA+-expression e on a database D in gen- 
eral yields a binary relation e(D) on |D| + . Such binary relations can repre- 
sent n-ary relations on |D|. For example, we can represent the ternary relation 
{(a, b, c), {d, e, /)} as {(a, {b, c)), {d, (e, /))}. Using such representations, we leave 
it as an exercise to the reader to simulate Codd’s relational algebra in RA+ . So 
RA+ has the full power of the first-order queries. 

We conclude that Tarski produced two alternatives for Codd’s relational 
algebra: cylindric set algebra, and relation algebra with pairing. From a systems 
engineering perspective, Codd’s algebra remains of course very attractive [48]. 

4.2 A Computationally Complete Query Language Based on RA+ 

Recall that on the most general level, given a schema S, we defined a generic 
n-ary query on S to be any (possibly partial) function from databases with 
schema S to finite n-ary relations on U that is invariant under every permuta- 
tion of U. Genericity allows us to give a standard definition of when a query is 
“computable.” Note that this is not immediate, because standard computability 
works with concrete data objects, like natural numbers, or strings over a finite 
alphabet, while our atomic data elements in U remain abstract. 

The computability definition, given in a seminal paper by Chandra and Harel 
[16], goes as follows. Let D be a database and suppose the cardinality of |D| is m. 
Any bijection from |D| — >■ {1, . . . , m} is called an enumeration of D. The image 
of D under an enumeration yields a concrete object with which we can deal using 
the standard computational models. We now say that query q is computable if 
there is a computable function C in the standard sense, such that for every 
database D, ( 7 (D) is defined if and only if C is defined on every enumeration X 
of D, and in this case C{X) always equals an enumeration of 9 (D). 

We can capture the class of computable generic queries by making RA’*' into a 
programming language. It suffices to add variables holding finite binary relations 
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on U+, assignment statements of the form X := e, where Ai is a variable and e is 
an RA“''-expression over the relation names in S and the variables, and to build 
up programs from these statements using composition and while-loops of the 
form ‘while e yf 0 do P\ We give programs the obvious operational semantics. 
For example, the following program computes the transitive closure of R\ 

X ■= R- 

while {X Q R) — X ^ 0 do 
X := XU XQR. 

Every program expresses a query by designating one of the variables as the 
output variable. This query is evidently generic and computable. 

Since the programming language just described is quite similar to the original 
query language ‘QL’ first proved to be computationally complete by Chandra 
and Harel [16], it does not harm to refer to it by the same name. Using as before 
a representation of n-ary relations on U by binary relations on 11“'", we then have: 



Theorem 2 ([16], see also [3,4,1]). Every computable generic query is ex- 
pressible by a QL-program. 

We feel this result is a nice a-posteriori confirmation of Tarski’s conviction that 
relation algebra (with pairing) is a formalism with all the expressive power one 
needs. 

We conclude this section with three remarks. First, given that RA+ expres- 
sions evaluate to relations on U“'" rather than on U, one could generalize the 
notion of query somewhat to yield relations on 11“'", rather than on U, as out- 
put. Let us refer to this generalized notion of query as -{--query. The notions 
of genericity and computable readily generalize to -I— queries. Then under these 
generalizations, the language QL just defined is still computationally complete: 
every computable generic -I— query on binary relations is expressible by a pro- 
gram in QL. 

Second, in view of the universe U* considered in Section 2, of which U“'" is 
only a subuniverse, we can generalize -I— queries further to ^-queries which now 
yield relations on U* as output. QL is then no longer complete [63], but can be 
easily reanimated by adding a third tagging operation: 

- set tagging: r^ := {{x,{y \ {x,y) G r}) | 3y : {x,y) G r}. 

This is an operation on binary relations on U* rather than on U"'". We then 
again have that QL enriched with set tagging is computationally complete for 
the generic *-queries [23,35]. 

Finally, note that although the tagging operations introduce pairs and sets 
of elements, these pairs and sets are still treated by the RA operations as atomic 
abstract elements. So it is natural to replace every element of U*— U occurring in 
the output of a *-query applied to a database D by a fresh new element in U not 
in ]Dj. The class of abstract database transformations that can be obtained from 
computable generic *-queries in this way has a purely algebraic characterization 
[2,64]. 
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5 Constraint Databases 

Until now we have worked with relational databases over an unstructured uni- 
verse U of atomic data elements. That the atomic data elements remain abstract 
and uninterpreted is one of the identifying features of classical database theory, 
and corresponds in practice to the generic bulk-processing nature of database 
operations. However, in reality U usually does have a structure of its own, in the 
form of predicates and functions defined on it, and there are applications where 
we want to take this structure into account. An important case, on which we 
will focus in this and the next section, is that of spatial databases containing 
information with a geometrical interpretation. 

Suppose we want to store points in the plane in our database. In this case U is 
M, the set of real numbers. We use a schema S with a binary relation name S. In 
a database D with schema S, then is a finite set of pairs of real numbers, i.e., 
a finite set of points in the plane. In the presence of an “interpreted” universe 
such as R we need to make a crucial but natural extension to the notion of first- 
order query: we make the interpreted predicates and functions of our universe 
available in our first-order formulas. Concretely, in the case of R, we now use 
formulas over the vocabulary S expanded with the vocabulary (<, -I-, •, 0, 1) of 
ordered fields. 

For example, suppose we want to ask whether all points in the database lie on 
a common circle around the origin. It is tempting to write the following formula 
for this purpose: 

drVcc, y{S{x, y) ^ = r^) 

However, we should remember from Section 3 that we agreed to evaluate first- 
order formulas over the active domain of the database. In contrast, the above 
formula, and in particular the quantifier 3r, is intended to be evaluated over the 
whole of R. Since the radius of the circle does not need to be a coordinate of a 
point in the database, the formula is therefore incorrect as an expression of our 
query. A correct formula under the active-domain semantics is the following: 

3xi,yiVx, y{S{x, y) ^ x"^ + y"^ = xl + y\)) 

This example shows that the active-domain semantics for first-order formulas 
is not very natural in the case of spatial databases. It was fine in the case of 
an uninterpreted universe U, because there, all elements of U not in the active 
domain of a database look alike with respect to that database [7]. In contrast, no 
two reals look alike in first-order logic over the reals with signature (<, -I-, •, 0, 1). 

We thus have two ways of evaluating a first-order formula ipix) on a real 
database D. We view D as an expansion of the structure (R, <, -I-, •, 0, 1) with 
the relations of D. When we then write D ^adom for some tuple a of reals, 
we mean that ip[a] becomes true in D when we let each quantifier in ip range 
over |D| only. When we write D |=naturai T’io], we mean that (^[a] becomes true 
when we let each quantifier range over the whole of R. The natural semantics is 
definitely more natural than the active-domain semantics, but is it really more 
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powerful? The answer is no: Benedikt and Libkin [11] gave an algorithm that 
turns any formula Lp into another formula xp such that for every real database D 
we have D |=naturai iff D ^active V’- From now on we will stick to the natural 
semantics. 

Given the natural semantics, the new issue arises that the result of a first- 
order query to a real database can easily be infinite, even though the database 
is finite. For example, the following first-order query returns all points in the 
convex closure of S: 



{{x,y) I 3xi,yi,a:2,2/2, A : S{xi,yi) A S{x 2 ,y 2 ) A 0 < A ^ 1 

A (x,y) = X{xi,yi) -b (1 - X){x 2 ,y 2 )} 



How do we represent these infinite sets? 

A solution to this issue was proposed by Kanellakis, Kuper and Revesz in 
their novel framework of constraint databases [40]. Call the above formula p, 
and take for example the simple database Dq with just two points in it: 5'^“ = 
{(0,0), (1, 1)}. To evaluate p on Dq we can try the following simple idea called 
plug-in evaluation: replace in p every atomic subformula of the form S{u,v) by 
a corresponding formula defining S^°, i.e., the formula (m = 0 A v = 0) V (m = 
1 A u = 1). We get the following formula which is purely over the reals only; it 
no longer mentions any database relations: 

{{x,y) I 3xi,yi,X2,y2,X- 

iixi,yi) = (0,0) V (xi,yi) = (1,1)) 

A {{x2, j/2) = (0, 0) V (x2, 2 / 2 ) = (1, 1)) 

A 0 < A < 1 A (a;, y) = X{xi,yi) -b (1 - A)(x 2 , 2 / 2 )} 

This formula defines the infinite set of points in on the closed line segment 
between (0, 0) and (1, 1) and symbolically represents the answer of our query on 
our database. 

We can always perform plug-in evaluation of a first-order query on a real 
database, provided the numbers occurring in the database are rational so that 
we can effectively write down the formula defining the answer. In general, the 
subsets of R" that are definable (as n-ary relations) by first-order formulas over 
R are known as the semi- algebraic sets [10,14]. They have quite nice properties. 

Is this representation of semi-algebraic sets by real formulas workable? Can 
we, e.g., effectively decide whether the set defined by a given real formula is 
nonempty? Thanks to Tarski’s decision procedure for the first-order theory of 
the reals [52], the representation is indeed quite workable. The computational 
complexity of Tarski’s original procedure is very high, but over the years there 
has been steady progress in algorithms for real algebraic geometry [9,15,30,45]. 
A crucial parameter in the computational complexity of current algorithms is 
the number of quantifiers in the formula. In the case of plug-in evaluation this 
number depends only on the query formula and not on the database, which 
implies a polynomial time complexity. 
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Tarski actually gave a complete quantifier elimination procedure for real for- 
mulas, so we can define every semi-algebraic set already by a quantifier-free 
formula. To arrive at the concept of constraint database, we make one final but 
logical step: we allow semi-algebraic sets not just as outputs of queries, but also as 
inputs. Specifically, we remove the restriction that each relation in the database 
must be finite, and require instead that each relation must be a semi-algebraic 
set. In a constraint database we thus no longer store any actual tuples, but we 
store a collection of quantifier-free formulas, one for each relation name in the 
schema of the database. Plug-in evaluation is still possible: given a first-order 
formula ip and a constraint database D, we replace in p every atomic subfor- 
mula of the form S'(rt, u), with S a relation name from the database schema, by 
the real formula 7 (m, w) defining The result of all these replacements is a 
real formula defining V5(D). Since thanks to Tarski we can work with quantifier- 
free formulas, the computational complexity of deciding nonemptiness and many 
other algorithms remains polynomial-time like we had with finite databases. 

Constraint databases has been an active research area over the past decade 
[39,43,49,62,43], and the constraint database concept is not at all limited to the 
reals. In principle it works for any universe U with a certain structure (consisting 
of predicates and functions) that admits effective quantifier elimination (and for 
which truth of atomic sentences is decidable)®. In this respect, recall that, as 
Tarski himself noted early on [57] , his quantifier elimination for the reals implies 
that every subset of K definable by a first-order formula with parameters over the 
reals is the union of a finite number of intervals. This property alone is already 
responsible for a lot of the nice properties (referred to as “tame topology” [65]) 
of semi-algebraic sets. Any universe that has this property is called o-minimal. 
The “collapse” of the natural semantics for first-order logic on finite database 
to the active-domain semantics, which we pointed out earlier, does not just hold 
under the reals but under any universe that is o-minimal and admits quantifier 
elimination [11]. 

6 Geometric Queries 

We conclude our survey by making the circle complete and returning to the first 
topic we discussed: the notion of genericity for database queries, now reconsid- 
ered in the new setting of spatial databases. 

We begin by noting that, when thinking about spatial data, the real numbers 
as “urelemente” are not the right level of abstraction. They show up merely as 
a convenient representation, via coordinates, for the real urelemente which are 
the points in our geometric space. Let us work as before in the real plane 
(everything we will say in this section generalizes to arbitrary R.'^). This means 
in general that we only work with database schemas S where the arity of every 
relation name is a multiple of 2. In a geometric database with schema S, each 
relation, of arity 2n, say, is interpreted as an n-ary relation on R.^. Following 

® Interesting recent work even considers universes that are non-numeric, such as strings 
or terms [12,13,24]. 
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the constraint database approach outlined in the previous section, each relation 
is semi-algebraic. We call such databases geometric. An n-ary geometric query 
over S then is a function mapping geometric databases with schema S to n-ary 
relations on 

Recalling our discussion in Section 2, we can now again call a geometric query 
generic if it is invariant under all permutations of (note: not M). This 

does make sense: these are the queries that treat the points as uninterpreted 
abstract data elements. They are exactly the classical generic queries under 
the unstructured universe U where this U happens to be Many interesting 
geometric queries are not so “absolutely” generic, however, and this is as it should 
be: as we mentioned at the end of Section 2, Tarski viewed logic as an “extreme” 
kind of geometry. Thus, by considering various other groups of transformations 
of R^, corresponding to various geometrical interpretations of our spatial data, 
we can reach the geometric queries that fit the particular interpretation. 

Let us illustrate this using the group of affinities, i.e., the permutations of 
R^ that preserve betweenness. We call a geometric query affine-generic if it is 
invariant under all affinities of R^. For example, consider the following geometric 
queries over a set of points S (i.e., a binary relation S): 

1. Is S nonempty? In first-order: 3x,y S{x,y) 

2. Is S convex? In first-order: \/xi,yi,X 2 , J/ 2 , A : (S{xi,yi) A S{x 2 ,y 2 ) A 0 ^ A ^ 
I) -)> S{\{xi,yi) -b (I - \){x 2 ,y 2 )) 

3. Is S' a circle? In first-order: 3r, xq, y^ix, y : S{x,y) O (x— Xo)^-l-(t/— 2/o)^ = 

Query I is absolutely generic; query 2 is only affine-generic; and query 3 is not 
affine-generic (the notion of “circle” does not exist in affine geometry). 

We now come to a natural question: how can we logically characterize the 
affine-generic first-order geometric queries? Tarski brings us inspiration. In his 
work on the axiomatization of elementary geometry [58,50], Tarski considered 
first-order logical formalisms with variables ranging over points in the geometric 
space, and elementary predicates on these points as dictated by the geometry 
to be formalized. For example, elementary affine geometry in the real plane 
corresponds to doing first-order logic in the structure (R^,/?), where (3 denotes 
the ternary betweenness predicate on R^: /3(p,q,r) holds if point p lies on the 
closed line segment between points q and r. 

Inspired by this, we can view a geometric database D with schema S as 
a constraint database over the interpreted universe (R^,/3) rather than over 
the universe (R, <, -b, •, 0, 1). Note that under this alternative view, the schema 
changes: the arity of each relation name S goes from 2n to n. We denote this 
“halved” schema by S' . First-order queries under the alternative view now are 
expressed by first-order formulas over the vocabulary (S',P) rather than (5, <, 
-b,-,0, 1). Let us refer to the original class of first-order queries as FO[R] and 
to the new one as FO[/3j. Example queries 1 and 2 from above are expressed in 
FO[/3] as follows: 

1. 3pS{p) 

2. Vp, q, r : (S{p) A S{q) A /3(r,p, q)) -)> S{r) 




34 



Jan Van den Bussche 



Example query 3 is not in FO[/3]: indeed, query 3 is not affine-generic, and FO[/3] 
clearly contains only affine-generic queries. It is also clear that FO[/3] is a subclass 
of FO[R]: we represent every point variable p by a pair of real variables (pi,p 2 ), 
and P{p, q, r) is easily expressible as {q\ — pi) • (p 2 — ^’ 2 ) = (<Z 2 — P 2 ) • (pi — ?’i) AO < 
(91 - Pi) • (Pi - ?’i) A 0 < {q2 - P2) ■ (P2 - i’2)- 
Interestingly, the converse holds as well: 

Theorem 3 ([29]). Every affine-generic geometric query in FO[M] is in FO[/3]. 

The proof uses the original observation by Tarski that the geometrical construc- 
tions of <, -|- and • of points on a line can be defined in first-order logic over 

P- 

Other geometric interpretations can be captured in a similar way: for exam- 
ple, if we use instead of the betweenness predicate, the (4-ary) equal-distance 
predicate, we obtain euclidean rather than affine geometry. Capturing topologi- 
cal queries (invariant under all homeomorphisms) is much more difficult [42,27]. 



7 Conclusion 

We have surveyed some ideas and results from database theory related to Tarski’s 
ideas. We have neither been comprehensive with respect to Tarski’s work, nor 
with respect to database theory, and probably not even with respect to the 
applications of the former in the latter. A great source to learn more about Tarski 
are his Collected Papers [26] . A great source to learn more about database theory 
are the proceedings of the annual ACM Symposium on Principles of Database 
Systems published by ACM Press, and the biannual International Conference on 
Database Theory published in Springer’s Lecture Notes in Computer Science. 
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Abstract. Logic is no longer about a preexisting external reality, but 
about its own protocols, its own geometry. Typically the negation is not 
about saying ’’NOT”, but about the mirror, the duality “I” vs. “the 
world” . . . 

The new approach encompasses the old one, typically if “I” win, “the 
world” loses, i.e., wins “NOT”. When logical artifacts are identified with 
their own rules of production, LOCATIVE phenomenons arise. In partic- 
ular, one realises that usual logic (including linear logic) is SPIRITUAL, 
i.e., up to isomorphism. But there is a deeper locative level, with indeed 
a more regular structure. Typically the usual (additive) conjunction has 
the value of categorical product in usual logic, and enjoys commutativity, 
associativity, etc. up to isomorphism. 

In Indies, what corresponds is a plain intersection GDH, which is really 
associative, commutative, etc. (no isomorphisms); it contains the usual 
conjunction as a delocalised case >p{G) PI Incidentally this shows 

that the categorical view of logic - if very useful - is wrong... Nature 
abhors an isomorphism! 

LUDICS is a monist approach to logic-without this nonsense distinction 
syntax/semantics/meta - just plain logical artifacts, period. 
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Abstract. The most fundamental results of monadic second-order de- 
cidability, beyond the decidability of just pure monadic second-order 
logic, deal with the decidability of the monadic second-order theories of 
one and two successors and the decidability of the monadic second-order 
theory of linear order (Biichi, Rabin) . Having moved from sets to mul- 
tisets, we refine the underlying logic as linear logic. In contrast to the 
classical results, we prove the undecidability of just pure monadic linear 
logic, even if we use nothing but Horn formulas built up of unary pred- 
icates, in which no functional symbols are present. As for affine logic 
(linear logic plus weakening), we prove the undecidability of the Horn 
fragment of affine logic, which involves only one binary predicate (“lin- 
ear order”) and a fixed finite number of unary predicates, and which 
contains no functional symbols at all. We also show the undecidabil- 
ity of the 3-free Horn fragment of monadic affine logic in the presence of 
only one constant symbol ( “zero” ) and only one unary functional symbol 
(“successor”), and a fixed finite number of unary predicate symbols. 
Along these lines, we obtain the undecidability of the optimistic protocol 
completion even for the class of communication protocols with two par- 
ticipants such that either of them is a finite automaton provided with 
one register capable of storing one atomic message, all the predicates 
used are at most unary, and no compound messages are in the use. 



1 Motivations and Snmmary 

The most fundamental results of monadic second-order decidability, beyond the 
decidability of just pure monadic second-order logic, deal with the decidability of 
the monadic second-order theories of one and two successors and the decidability 
of the monadic second-order theory of linear order [1,26,27,11]. Since the tradi- 
tional monadic theories are dealing with sets, it involves the traditional Boolean 
logic over atomic formulas (xGy). Having moved from sets to multisets, we re- 
fine the underlying logic as linear logic [9]^. In particular, within the linear logic 

^ Here we confine ourselves to the so-called multiplicative-exponential fragment of lin- 
ear logic without “additives” . The Horn fragments under consideration are the sim- 
plest fragments of the multiplicative-exponential linear logic. As for the full propo- 
sitional multiplicative-additive-exponential linear logic, it is undecidable [21]. 
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framework, the fact that “two copies of x are in y” can be expressed as a sim- 
ple formula: {(x€y) 0 {x€y)). Contrary to what might have been expected, we 
prove the undecidability of just pure monadic linear logic, even if we use nothing 
but Horn formulas built up of unary predicates, which involve no functional sym- 
bols at all. This undecidability result is formulated in terms of communication 
protocols [25,6,2,22,8]. As for verifying formal specifications of protocols, prior 
to analysis of protocol properties related to intruders, we have to show that our 
formal specification of a given protocol meets the protocol rules and conventions 
at least under ideal conditions in the absence of an intruder. We prove that the 
problem of the optimistic protocol completion: “Whether the protocol participants 
can finish playing in accordance with a protocol (when no one interferes with net- 
work transmission)” , is undecidable, even if each of the participants is a finite 
automaton provided with one register capable of storing one atomic message, all 
the predicates in question are at most unary, and no compound messages are in 
the use. As compared to [3,7], the undecidability of the secrecy problem there is 
essentially based on the Cook encoding of Turing machines in terms of classical 
binary predicates. Since the classical monadic cases are decidable, their results 
are not directly translated into the pure monadic case. 

From the Horn point of view, we accomplish the full picture. The proposi- 
tional pure Horn linear logic is decidable but its complexity is of that of the 
reachability problem for Petri nets [10,13]. (The decision problem for the full 
propositional multiplicative-exponential fragment of linear logic is still open.) 
The next step - that is toward the pure monadic Horn fragment of linear logic, 
is shown here to yield undecidability. 

In the second part of the paper we consider ‘monadic’ affine logic, that is 
linear logic with the Weakening rule. The full propositional affine logic is known 
to be decidable [17]. As for pure monadic affine logic, the problem is open. For 
affine logic, the faithfulness of our encoding in Theorem 3 fails exactly in the 
most subtle case of the zero-test. Nevertheless, in contrast to [26,1], we prove 
the undecidability of the Horn fragment of pure monadic affine logic, which, 
in addition, has one binary predicate symbol (“linear order”), as well as the 
undecidability of the Horn fragment of monadic affine logic, which involves only 
one constant (“zero”) and one unary functional symbol (“successor”). 

The undecidability proofs are established by the following scheme. The pro- 
gram of a machine M is specified in terms of linear logic formulas taken from a 
certain Horn fragment in such a way that any M’s computation can be “easily” 
transformed into a derivation for a certain ‘target’ sequent. The most compli- 
cated direction is the opposite one - that of extraction of an M’s computation 
from a given derivation for the ‘target’ sequent. This faithfulness problem can 
be resolved by analysis of the particular derivations specified in the case of each 
of the encoding techniques. We sort out the faithfulness problem with the help 
of the comprehensive computational interpretation developed for the Horn frag- 
ments of linear and affine logics [13,14,15] and its generalizations. 

2 Horn Linear Logic 

Within the monadic paradigm, atomic formulas are of the form (xGy). On the 
other hand, any formula of the form (xGV), with V being a constant, can be 
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thought of as a unary predicate, say P(x). Therefore, the first-order Horn for- 
mulas, which invoke only unary predicates, can be treated as being inside the 
monadic language. 

Definition 1. A signature S consists of predicate symbols Qi, Qi,. . . with their 
arity, functional symbols fi, f^, - ■ ■ , and constants Ci, C 2 ,. • • . An atomic formula 
is 1 or a formula of the form: Qj{ti,t 2 , ■■,tk), withU &eing functional terms. An 
elementary product X is defined as an expression of the form 

■— {Pi P 2 if 2,1 1 •■5^2, /C 2 ) ® ® Pm{lm,lj - n )) 

where Pi,P 2 ,..,Pm are predicate symbols, ti^i,..,ti^ki,- ■ ■ ,tm,i,--,tm,km are terms. 

We say that elementary products X and X' are equivalent, and write X ~ X' , 
if X does not differ from X' modulo commutativity and associativity of®. 

A Horn formula is defined as a closed formula of the form 

Vxi..Xn {X{xi, ..,Xn,ai, ..,Qp) -O 3yi..ym,Y{xi, ..,Xn,yi, ■■,ym,bi, ..,bq)) 
where X{x\, ..,Xn,a\, ..,ap) and Y{x\, ..,Xn,yi, ■■,ym,bi, ..,bq) are elementary 
products, and the list a\,..,ap, b\,..,bq contains all the constants occurring there. 

There is a clear isomorphism between elementary products (modulo com- 
mutativity) and finite multisets consisting of atomic formulas. E. g., the col- 
lection of facts {R{f{c)),S{d),S{d)} is represented by a product of the form: 
(i?(/(c)) 0 S{d) ® S{d)), and vice versa. Thus any closed elementary product 
lT(ai, .., a„) is conceived of as a description of a certain configuration, or sit- 
uation, in the system. A Horn formula V5;(A(a;) ^3yY{x,y)) is conceived of 
as an instruction to transform configurations in the multiset rewriting manner. 
Namely, a “part” of the form X(i) within the current configuration can be re- 
placed with a “part” of the form Y {t, d), where d is the vector of fresh constants 
generated in case. E. g., a typical programming assignment: r := f{r), can be 
axiomatized as: \/x{R{x) ^ R{f{x))), where the intended meaning of R{v) is 
that: “The register r contains u”. 

Definition 2. Let P be a set of Horn formulas. A scenario S is a course of 
events in accordance with P , which starts in a certain initial configuration W . 
Formally, scenario S is a rooted chain of vertices vq, vi, V 2 ,. . . such that 

(a) Every vertex v is labelled by a ’configuration’ , that is a closed elementary 
product Config(w). For root vq, Config(wo) := W. 

(b) Every edge {v,w) is labelled by a closed Horn sequent of the form 

X {t\ , . . , tji, ai , . . , Qp{ b Y {t\, . .,t^i, d\, .., dm,b\, ..,bq{ , (1) 

such that di,..,dm are distinct fresh constants: each of these dj neither occurs 
in P, nor occurs in W, nor occurs in the Horn sequents the previous edges are 
labelled by, and for some V{ei, ..,ek): 

f Config(u) ~ (X(ti, ..,t„,ai, ..,ttp) ®V(ei, ..,ek)), 

\Config(w) ~ {Y{ti, ..,tn,di, ..,dm,bi, ..,bq) ® V{ei, ..,6k)), 

and P contains a formula, a ‘general pattern’ of (1), of the form: 

Vxi..Xn {X{xi, ..,x„,ai, ..,Qp) -<i 3yi..ymY{xi,..,Xn,yi, ..,ym,bi, ..,bq)). 
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What we need here is to extend the comprehensive computational interpre- 
tation for Horn linear logic introduced in [13,14,15] to the first-order case. 

Theorem 1 (Scenarios Proofs). Let F be a set consisting of Horn for- 
mulas. Let W(ai,..,ap) and Z{d\, dk,bi, ..,bq) be closed elementary products, 
where ai,..,ap, di,..,dk, bi,..,bq are constants, and each of the constants bi,..,bq 
occurs either in F or in W(ai, ..,ap). Then any scenario S in accordance 
with F, which leads from W{ai,..,ap) to Z{d\, ..,dk,b\, ..,bq), can be trans- 
formed into a linear logic derivation of a sequent of the form: 

!T, lT(ui , , ftp) h Zk Z (^Zi , . Zk, bi , , bq') . (2) 

Here IF stands for the set resulting from putting ! before each formula in F. 

Proof. The desired proof is assembled by induction on S. □ 

Theorem 2 (Proofs ==^> Scenarios). Let F consist of Horn formulas. Given 
a linear logic derivation for a sequent of the form (2), we can form a scenario S 
in accordance with F, which leads from W{ai, ..,Qp) to Z{si, ..,Sk,bi, ..,bq), for 
some closed terms s\,..,Sk. Furthermore, these ‘programs’ s\,..,Sk can be taken in 
such a way that each of their functional symbols occurs in F or in W(ai, ..,ftp). 

Proof. We assemble the corresponding chain-like scenarios by induction on the 
cut-free derivations running from their leaves to their roots (see [13,14,15]). □ 



3 Just Pure Monadic Case: No Functional Symbols 

The undecidability of pure monadic linear logic is established in terms of pro- 
tocols, which define the communication framework between two or more agents 
[25,6,2,22,8]. We consider here a finite state message passing model, wherein a 
protocol, as a theater director, is dealing with a cast of actors, each of them is 
a finite automaton, supplied with a fixed finite memory. Every actor is keeping 
up its part stipulated by the protocol. {Lntruders may follow their own policy.) 
Besides their pure finite automaton actions, the actors may give/take the cues 
to/from the others. Since the actors cannot communicate directly on a local 
stage, they send messages on the network, (“From Alice to Bob: below is my 
public key”), or, in turn, receive them as network messages. As stipulated by the 
protocol, the actors have a chance to come out with their nonce-word messages, 
( “From Bob to Alice: below is my secret encrypted with your public key” ) . 

A prior property of a protocol is that of the protocol completion under ‘opti- 
mistic’ conditions: Whether the actors can finish playing (when no one interferes 
with network transmission) . 

According to the Dolev-Yao paradigm [6] , messages are composed of indivis- 
ible abstract values by means of certain functions, like encryption, decryption, 
signing, pairing, etc. In this section we confine ourselves to the simplest case 
where no functions are present, and thereby all messages are indivisible. 

We show undecidability of the optimistic protocol completion for such a re- 
stricted class of protocols, where, in addition, there are only two participants: 
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A (“Alice”) and B (“Bob”), each provided with a unique register capable of 
storing one atomic message. 

We will encode a deterministic 2-counter Minsky machine M [24], whose pro- 
gram, a list of instructions I\,. . . ,Jg, is re-organized in such a way that M jumps 
from one counter to the other “by turns” , namely, for certain disjoint finite sets of 
’states’ oo, ai,.., Oi,.. (associated with ri) and &o> ^ir-i bj,.., (associated with r 2 ) 
each of M’s instructions is of one of the following labelled forms {i,j > 1) 



“jump” 


(0) 


a* : 


goto bj; 


(0) b, 


goto Ofc; 


“increment” 


(I) 


a* : 


n := n + 1; goto bj] 


(I) b, 


?"2 := T 2 + 1; goto Ok 


“decrement” 


(II) 


a* : 


n := n-1; goto bj; 


(II) b, 


T 2 ■= r-2-1; goto Ok 


“zero-test” 


(III) 


a^ : 


if (ri = 0) goto bj] 


(III) bj 


if (X 2 = 0) goto Ofc; 



No different instructions are labelled by the same label. States oi and oq are the 
initial and final states of M, respectively. The M’s configuration where M is 
in state m, and k\ and ^2 are the current values of counters r\ and r 2 , respec- 
tively, is denoted by (m; fci, ^ 2 )- A computation performed by M is a sequence of 
M’s configurations such that each step is made by one of the above instructions. 

Within the language of our encoding, labels oq, oi,.., a^,.. and bj,.., 

will work as constants. We invoke also the following predicates: 

(a) N{x) is intended to show that: “Message x is on the network”. 

For m of the form or bj, N{m) is also conceived of as: “M is in state m”. 

(b) Ai(x) means that: “The unique register in the memory of A contains x” , 
which is also conceived of as: “x is active with respect to M’s counter rfi’ . 

(c) Bi{x) tells us that: “The unique register in the memory of B contains x”, 
which is also conceived of as: “x is active with respect to M’s counter rfi’ ■ 

(d) The states of automaton A are named by propositions: 

Pm qi, r^, si, sf,.., sf,. . . , respectively. 

(e) The states of automaton B are named by propositions: 

P? , qi , si , s^ sf , respectively. 

Given a number n, the role played by A (“Alice”) is defined as follows (each of 
A’s actions is attached by a Horn formula, its formal axiomatization) : 

(1) Being in her initial state pi, A generates a nonce, say ua, (a random 
number, which differs from all and bj, and the previous nonces, if any), stores 
it, sends n copies of ua on the network, and goes to 

On := {Pi ^ (sj^ (g) Ai{y) (g) N{y) (g) N{y) (g) • • • (g) N{y))) (3) 

' V " 

n times 

( 2 ) Being in sf {i > 1), A ’’performs” the instruction I of the form: Oi . goto 
bj, and signals that it is B’s turn next to “perform” the instruction labelled by bj: 

(2a) Case O: I is of the form: Oi : goto bj. 

A sends message bj on the network, and goes to r^: 

li:={st^{r^(^N{bfi)) (4) 

^ Suppose that two “old” instructions I and I' are consecutively dealing with the same 
counter ri. Then we provide the desired “jumps” from ri to V2 and back to ri by 
‘wedging’ an instruction (O) between modified I and I' . 




44 



Max Kanovich 



(2b) Case I: I is of the form: Ui : ri := ri + 1; goto bj. 

A sends two messages: bj and the currently stored ua, on the network, and goes 
to r^: 

7 / := Va; {{sf (g) 4li(a;)) -o (g) Ai{x) (g) N{x) (g) N{bj))) (5) 

(2c) Case II: I is of the form: Oj : r\ := ri — 1; goto bj. 

A is waiting for a network message of the same form as the nonce currently 
stored in the memory of A. Having received such a message, A intercepts it, 



sends bj on the network, and goes to r^: 

7/ := Vx {{sf (g) Ai{x) (g) N{x)) -o {r^ (g> Ai{x) ® N{bj))) (6) 

(2d) Case III: I is of the form: ai : if (ci = 0) goto bj. 

A generates a new nonce n'^, substitutes it for the old one, sends bj on the 
network, and goes to r^: 

7/ := Vx {{sf (g) Ai{x)) ^ 3y {r^ (g) Ai{y) (g) N{bj))) (7) 

(3) Being in sf, A cleanses up her memory, sends bo on the network, and goes 
to her final state qf: 

:= Vx {{sf (g) Ai{x)) -o {qf (g) N{bo))) (8) 

(4) Being in r^, A is waiting for a network message of the form a^. Having 
received such a message, A intercepts it, and goes to sf: 

pf:={{r^(^N{af)^sf) (9) 

In turn, the role of B (“Bob”) is to perform the following “mirror” actions: 

(1) Being in his initial state pf , B generates a random number, nonce ns, 
stores it, and goes to r^: 

fo-={pf ^^y{r^ ®Bi{y))) (10) 

(2) Being in r^, B is waiting for a network message of the form bj. Having 
received such a message, B intercepts it, and goes to sf: 

pf :={{r^®N{b,))^sf) (11) 

(3) Being in sf {j > 1), B ’’performs” the instruction I of the form: bj : 



. . .goto Ofc, and signals that it is H’s turn next to “perform” the instruction 
labelled by Uk'. 

(3a) Case O: I is of the form: bj : goto a^,. 

B sends message Ofc on the network, and goes to r^: 

7/ := {sf -o {r^ (g) N{ak))) (12) 

(3b) Case I: I is of the form: bj : X 2 := T2 + 1; goto Ofc. 

B sends two messages: Uk and the stored ns, on the network, and goes to r®: 

7/ := Vx {{sf (g) Bi{x)) -o {r^ (g) Hi(x) (g) N{x) (g) N{ak))) (13) 
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(3c) Case II: I is of the form: hj : V 2 := r 2 — I; goto Uk- 
B is waiting for a network message of the same form ns as the nonce currently 
stored in the memory of B. Having received such a message, B intercepts it, 
sends Ofc on the network, and goes to r^: 

7 / := Vx {{sf (g) Bi{x) (g) N{x)) -o {r^ (g) Bi{x) (g) N{ak))) (14) 

(3d) Case III: I is of the form: bj : if (r 2 = 0) goto Ofc. 

B generates a new nonce n'g, substitutes it for the old one, sends Ofc on the 
network, and goes to r^: 

7 / := Vx ((sf 0 Bi(x)) -o By (r^ 0 Bi(y) 0 N(ak))) (15) 

(4) Being in sf , B cleanses up his memory, and goes to his final state qf: 

(7^ :=Wx((sf 0 Bi(x)) ^ qf) (16) 

We abbreviate as: (N(m))’^ := 1, and (N(m))’^ := N(m) 0 N(m) 0 ■ ■ ■ 0 N(m). 

'' V ^ 

k times 

Lemma 1. Let a total situation of the whole system “participants+network” be 
of the form (i > 1); 

(sf 0 Ai(ua) 0r^ 0 Hi (ns) 0 (N(nA))’"^ 0 (A^(ns))''^), (17) 

“A is in state sf and keeps ua in her memory, B is in state r^ and keeps ub 
in his memory, there are k\ copies of ua and k 2 copies of ub on the network.” 
(Such a (17) is said to represent an M’s configuration of the form (ai,ki,k 2 )-) 
Then the only action that can be performed is that of A with some 7 /, in- 
voking an M’s instruction I of the form: Oi . .goto bj. The effect of the action 
is a total situation of the form: 

(r^ 0 Afin'jfj 0r^ 0 Bi(ub) 0 (lV(n^))'"i (g) (N(nB))^'^ 0 N(bj)). (18) 

The next move can be made only by B with the help of pf, resulting in a total 
situation of the form: 

(r^ 0 Ai(n'A) 0 sf 0 Bi(ub) 0 (N(ua))''^ 0 (N(ub))’'^), (19) 

which intends to represent the next M’s configuration (bj] k(, ^ 2 ), the yield of I. 

Similarly, with A and B interchanging their roles, any continuation from (19) 
involves the simulation of the M’s instruction labelled by bj, which leads to a 
total situation of the form: 

(sf 0 Ai(n'A) 0r^ 0 Bi(ns) 0 (N(nA))’"'^ 0 (N(nB)f'^). ( 20 ) 

Proof. (11) is not applicable on (17), since any nonce differs from bj. □ 

Lemma 2. If I is not a zero-test, then 71(4 = ua, and (19) is a correct repre- 
sentation of (bj] k{, ^ 2 ).' 

(r^ 0 Ai(n'^) 0 sf 0 Hi (ns) 0 (N(n'^))^^ 0 (iV(ns))'"^). ( 21 ) 

The case of a zero-test I of the form: Ui : if (ri = 0) goto bj, is more subtle 

because of n'jj n a- 
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(a) We can guarantee the ’correct’ form {21) of {19) whenever {ai;ki,k 2 ) and 
{bj]k'i,k 2 ) are consecutive M’s configurations within a legal M’s computation, 
and thereby k{ = k\ = 0. 

(b) For k\ > 1, {19) has an occurrence of N{ua), where ua differs from the 
new in the memory of A. By construction, we could never have removed this 
occurrence of the obsolete N{ua)- 

Definition 3. Let r„ consist of Horn formulas (3)-(16): 

e 

:= /?o,cr^,p®,pf,..,pf,..,}U |J {7/J- 

k^l 

Starting from the initial total situation {p^ ® pf) of the whole system: partic- 
ipants+network, the protocol is said to be completed whenever it gets into the 
final total situation: {qq ® Qq), that is, in formal terms, there is a scenario S 
in accordance with F^, which leads from (p^ ® pf ) to {q^ 0 Qq)- 

Theorem 3. For any n, there is an exact correspondence between the following 
three sets: 

(i) the computations performed by M, which lead to its final configuration 
(ao;0,0); starting from its initial configuration {ai;n,0), 

(ii) the linear logic derivations for a sequent of the form: \Fn,{p^ ® pf ) b 

{do ® 9o)> 

(iii) and scenarios S in accordance with which lead from to 

ido^Qo)- 

Proof. Let us sketch the main ideas. 

(A) [Protocol Scenarios 4=^ LL Proofs] is provided by Theorems 1 and 2. 

(B) [M’s Computations Protocol Scenarios]. By means of actions o;„ 
and Po performed by A and B, respectively, the initial {pf C)pf) is changed 
into a total situation of the form: 

(sf (g) Ai{ua) <Sir^ Bi{ub) ® {N{nA))"‘ 0 {N{ub))°), (22) 

which represents the initial M’s configuration (ai;n,0). 

According to Lemmas 1 and 2, any M’s computation can be simulated step- 
by-step by the actions of A and B, getting into a “counterpart” of the final 

(oo;0,0): 

(sq (g) Ai{n'A) ®r^ ® Bi{n'B) ® {N{n'A)T ® (-^(^s))°)- (23) 

By the “cleansing” and <t®, our simulating scenario is completed in {q^ (g) q^). 

(C) [Scenarios M’s Computations]. Without loss of generality, suppose 
that the ‘initial’ M’s instruction, which is labelled by ai, is the trivial “jump”: 
oi : goto bi- 

On the way from {pf (g) pf) to {qQ (g) q^) any scenario S is to lead, first, from 
{p^ (g) pf ) to the total situation representing (6i; n, 0): 

(r^ (g) Ai{ua) (g) sf (g) Bi{ub) O (A^(ua))” O {N{ub))°), 



(24) 
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and then, eventually, to a total situation of the form: 

(so (g> (g) r® (g) Biiug) (g) (fV(n'^))° (g) (Ai(ns))°), (25) 

just before finishing in {q^ (g) q^). Furthermore, all these steps from (24) to (25) 
are inductively controlled by Lemma 1. 

Let us consider an intermediate step, say from (17), representing (ag k\, ^2), 
to (19), which invokes 7/, with I being of the form . goto bj. (See Lemma 1) 
For I, not being a zero-test, the enabling conditions of 77 provide that 
(19) represents {bj;k{,k 2 ), and M can perform a legal move from (agfci,A:2) 
to [bj] ^2) by means of its instruction I. 

For /, being a zero-test, had k\ happened positive, it would have produced 
an “untouchable” occurrence of some NIjia) (see Lemma 2), contrary to the 
fact that S ends in the A^(n^i)-free {q^ (g) q^). Thus k\ = 0, and thereby M can 
legally move from (07; ki, ^2) to (bj; k[, /C2), as well. 

Bringing all together, we can construct the desired M’s computation from 
(oi; n, 0) to (oo; 0, 0). □ 

Corollary 1. (a) The Horn fragment of pure monadic linear logic, which con- 

tains only three unary predicate symbols, and a fixed, but large enough, finite 
number of 0-ary predicate symbols, and which contains no functional symbols at 
all, is undecidable. 

(b) The protocol completion is undecidable even for the class of protocols with 
two participants such that each of the two is a finite automaton provided with 
one register capable of storing one atomic message, all the predicates used are at 
most unary, and no compound messages are in the use. 

Proof. Take a fixed M whose halting problem is undecidable. □ 

4 Monadic AfRne Logic 

Affine logic is linear logic with the weakening rule: and ■ 

Section 2 is extended to Horn affine logic as follows. 

We will say that a scenario S in accordance with T weakly leads to Z{ci, ..,Ck), 
starting from W (oi, .., Op), if for some .^(ci, .., Ck, ei, .., e^) and V (ci, .., Ck, ei, .., 
Cq) such that Z(ci, .., Cfc, ei, .., e,) {Z{ci,..,Ck) <g) H(ci, .., Cfc, ei, .., e,), sce- 

nario S leads from W{ai, ..,ap) to Z{ci, ..,Ck,ei, ..,6q) in the ’strict’ sense of 
Section 2. 

Theorem 4 (Scenarios 4=^ Proofs). Let T consist of Horn formulas. Then 
both Theorems 1 and H remain valid if “leads” is replaced there with “weakly 
leads”, and “linear logic” is replaced there with “affine logic”. 

Proof. Similar to the proofs of Theorems 1 and 2. □ 



4.1 One Binary Relation 

We encode a Turing machine M that has one tape, which is one-way infinite to 
the right. The program of M is: Ii,. . . ,Is. The initial and final states of M are 
li and Iq, respectively. In our encoding we invoke the following predicates: 
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(a) Propositions Li are intended to show that: “M is in state /j” . 

(b) E{x,y) means that: “Cell y is just the next to the right to cell a;”. 

(c) The intended meaning of Eq{x) is that: “a; is the last cell”. 

(d) S{x) is intended to indicate that: “x is scanned by M”. 

(e) For any tape symbols C^{x) means that: “Cell x contains symbol 

The key point of our encoding is that, given a finite tape, any number of new 
blank cells can be consecutively ’added’ by repeatedly applying the following 
axiom TAPE (“0” in C'o(y) serves for the blank symbol): 

TAPE := Vx {Eo{x) -o 3y {E{x, y) ® Co{y) O Eo{y))) (26) 



Lemma 3. According to Theorem 4, the provable sequent: 

[TAPE, T1o(c5) I- ^yiV2 (-E(c 5, j/i) O E{yi,y2) ® C'o(yi) O Co(i/2) ® Tlo(l/2)), 



correlates with a scenario leading from Eq{cz) to an elementary product of the 
form: (if(c 5 , ce) 0 i?(c6, cy) 0 (70(06) 0 C'o(c 7 ) 0 ifo(c 7 )), which represents the 



2-cell extension of the tape: 



C5 



filled up with Os: 




An M’s configuration - that “M scans j-th cell in state Ik, when a string 
is written left-justified on the tape consisting of t cells”, is represented 
as a product of the form: {Lk^S{cj)^^l^^ C'.t.(ci)(8)0-~J E{a, c^+i)^Eo{ct)). 
Each of the M’s instructions is axiomatized as follows: 



(a) The instruction I: “if in state U looking at symbol replace it by rj, move 
the tape head one cell to the right along the tape, and go into state Ij ”, is 
specified by the Horn axiom: /?/ := 'ix,y{{Li ® S{x) ® C^{x) ® E{x,y)) — o 
{Lj (g) S{y) (g) Cj^{x) (g) E{x, y))). 

(b) The instruction I: “if in state It looking at symbol replace it by rj, move 
the tape head one cell to the left along the tape, and go into state lj ”, is 
specified by the Horn axiom: (3i := Vx, y {{Li (g) S{y) (g) C^{y) (g) E{x, y)) — o 
{Lj (g) S{x) (g) Cj^{y) (g) E{x,y))). 

(c) The instruction I: “if in state li looking at symbol f,, replace it by rj, and 
go into state lj (without move)”, is specified by the Horn axiom: j3i := 
Vx {{Li (g) S{x) (g) (7.c(x)) -o {Lj (g) S{x) (g) Cn{x))). 



Theorem 5. For any input string CiC 2 --Cn; there is an exact correspondence 
between the terminated computations performed by M, starting with the given 
input CiC2--Cn> the affine logic derivations for the following sequent, where 
Bm ■= Pii, and ci, C 2 , ■■, c„ are distinct constants: 

n n—1 

ITAPE, IBm, Li, S{ci), <^CQ^{ci), E(ci, Cj+i), Eq(c„) h Lq. (27) 
Proof. Let us sketch the main points. 
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(A) [M’s Computations Proofs]. The initial M’s configuration is repre- 
sented by: 



n n— 1 

(Li (g) S'(ci) (g) (g) A(cj,Ci+i) (g) Ao(c„)). (28) 

i=l i=l 

A given terminated M’s computation is performed within the finite tape of 
some length t, so that the length of each of the M’s configurations in question 
is assumed to be t. We expand the input Ci--Cn to Ci--CnCn+i--Ct) by setting: 
Cfc = 0 for k>n. By our construction, this M’s computation can be redefined as 
a scenario, leading from a closed elementary product of the expanded ‘initial’ 
form: 

t t-i 

{Li (g) S'(ci) (g) (^C^i(ci) (g) (^A(ci,Ci+i) (g) Eo{ct)), (29) 

(representing the initial M’s configuration with the input to: 

t t-i 

{Lo (g) S{cj) (g) Ck, (ci) (g) E{ct, Ci+i) (g) Eo{ct)), (30) 

i=l i=l 

representing the final M’s configuration with the string Ki..Kt on the tape. Our 
TAPE provides the way from (28) to (29) (see Lemma 3). 

Having summarized, we obtain a scenario, which weakly leads from (28) to Lq 
in accordance with TAPE,,Bm- Theorem 4 yields a derivation for (27). 

(B) [Proofs M’s Computations]. By Theorem 4, any proof for (27) can be 
transformed into a scenario S that weakly leads from (28) to Lq in accordance 
with TAPE,,Bm- Since each of the steps of S is controlled either by TAPE or by 
some (3i, any intermediate Config(u) is to be of the form: 

m m—1 

{Lk (g) S{cj) (g) (^Qi(cj) (g) A(ci,Cj+i) (g) Eo{cm)), (31) 

i=l i=l 

representing thereby a certain M’s configuration. From M’s point of view, TAPE 
just expands the tape with one blank cell. The enabling conditions of /?/ provide 
that M can get into the configuration represented by (31) by means of / applied 
to the previous one. 

Bringing together all the steps of S, we construct an M’s computation that, 
starting from the initial M’s configuration with Ci--Cn represented by (28), leads 
to an M’s configuration with state Iq, corresponding to the last step of S. □ 

Corollary 2. In contrast to the decidability of the monadic second-order theory 
of linear order [26], the Horn fragment of pure first-order affine logic, which 
contains only one binary predicate symbol, four unary predicate symbols, and 
a fixed, but large enough, finite number of 0-ary predicate symbols, and which 
contains no functional symbols at all, is undecidable. 

Proof. Take an M with 2 tape symbols, whose halting problem is undecidable. 

□ 
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4.2 One Zero c, One Successor /, no 3-Quantifier 

We encode here an old-fashioned 2-counter Minsky machine M, whose program 
is h,. ■ ■ , Is, each / is of one of the following types: 

(I) li . T m • — r^T^-t-l, goto /j , (H) 1: gOtO Ijj 

(III) k ■ if {Vm = 0) goto If, 

Here li and Ij are states, i > I, and represents the m-th counter. 

In our encoding we invoke the following predicates: 

(a) Propositions Li are intended to tell us that: “M is in state li” . 

(b) The intended meaning of Rm{x) is that: “counter contains x” . 

(c) A configuration {li', /ci, fe) is represented by: {Li 0 i?i(/*i(c)) ® (c))). 

Each of the instructions is axiomatized in the following way: 

(I) An instruction I of the form (I) is axiomatized by 
ipi := 'ix {{Li ® Rm{x)) ^ {Lj (g) Rjn{f{x)))). 

(II) An instruction I of the form (II) is axiomatized by 

:= 'ix {{Li ® R^{f{x))) -o {Lj ® R^{x))). 

(III) The zero-test I of the form (III) is axiomatized by 

:= ((Lj (g) Rm{c)) ^ {Lj (g) Rm{c))). 

Theorem 6. For any k\ and k 2 , there is an exact correspondence between the 
computations, performed by M, which lead from {h',ki,k 2 ) to (/q;0,0), and the 
affine logic derivations (linear logic derivations) for the following sequent, where 
I'm ■■= ■•)'*/'/.; and f^{c) := f{f{. . . f {c))): 

k times 

\Fm, Lu Ri{f^{c)), R 2 {fHc)) ^ (Lo®Li(c) 0 L- 2 (c)). 

Proof. There is a direct correlation between the M’s computations, leading from 
(^i; ki,k 2 ) to {lo; 0, 0), and the scenarios, which lead from 
(Li (g) i?i(/*i(c)) (g) i? 2 (/^^(c))) to {Lq (g) i?i(c) (g) i? 2 (c)) in accordance with Fm- 
It remains to apply Theorem 4 (or Theorems 1 and 2 in the LL case). □ 

Corollary 3. In contrast to decidability of the monadic second-order theories of 
one and two successors [1,26], the 3-free Horn fragment of monadic affne logic, 
as well as the 3-free Horn fragment of monadic linear logic, containing only one 
“zero” and one “successor”, two unary predicate symbols, and a fixed, but large 
enough, finite number of propositions, are undecidable. 

5 Concluding Remarks 

One can read Girard’s original 1986 translations of quantified classical logic into 
linear logic as providing an undecidability proof of the general quantified case. 
Since the classical monadic cases are decidable, we need new techniques to prove 
the results that contrast with results for classical logic and complement previous 
results on linear logic. 

The main result of the paper is that pure monadic linear logic is undecid- 
able, even in the Horn function-symbol-free fragment. This result uses a novel 
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encoding of 2-counter machines. Given what we know of related results, and 
of the computational complexity of linear logic, it is not surprising to encode 
such commands as goto, increment, and decrement. The main new idea relates 
to testing for zero, and also the structure of the machines used is organized 
to emphasize connections with communication protocols. Although the decision 
problem for the full propositional multiplicative-exponential fragment of linear 
logic remains open, from the Horn point of view, we have accomplished the full 
picture. The propositional pure Horn linear logic is decidable but its complexity 
is of that of the reachability problem for Petri nets [10,13]. The next step - that 
is toward the pure monadic Horn fragment of linear logic, is shown here to yield 
undecidability. 

From this undecidability result, an argument for the undecidability of pro- 
tocol analysis of the Dolev-Yao variety is put forward. We have shown that the 
optimistic protocol completion is undecidable even for the class of protocols with 
two participants such that either of them is a finite automaton provided with 
one register to store one atomic message, all the predicates used are at most 
unary, and no compound messages are in the use. In the light of this result the 
role of decomposition and composition of messages seems to be overestimated: 
even on the monadic stage without any composition rules we run into difficulties 
with the overwhelming power of nonces. 

One could claim that the undecidability of the problem of optimistic protocol 
completion in the absence of an intruder is not so interesting, since the standard 
security protocol settings include some model of the intruder, who, for instance, 
can control the network, and can duplicate and delete messages (but not the 
state of protocol participants), and such an intruder model would clearly disrupt 
our encoding of 2-counter machines. But, many of the approaches for analyzing 
and reasoning about protocols based on certain formal specification languages, 
and, prior to analysis of protocol properties related to unreliable broadcast, we 
have to show that our formal specification of a given protocol meets the protocol 
rules and conventions at least under ideal conditions when no one interferes with 
network transmission. 

As compared to [3,7], the undecidability of the secrecy problem there is es- 
sentially based on the Cook encoding of Turing machines in terms of classical 
binary predicates. The use of nonces and compound messages is critical there 
(in [7] there is an a priori bound on the depth of messages, so encryption and 
decryption are less important). Since the classical monadic cases are decidable, 
their results are not directly translated into the pure monadic case. On the other 
hand, our technique of the undecidability of the optimistic protocol completion 
can provide undecidability of the secrecy problem even in the case where no 
compound messages are present. (It might have shed some light on the fact why 
the replay attack is so popular). 

We have also investigated the decision problems of monadic affine logic. In 
contrast to the classical results of the decidability of the monadic second-order 
theories of one and two successors and the decidability of the monadic second- 
order theory of linear order [1,26], we have shown: 

(a) the undecidability of the Horn fragment of affine logic, which involves only 
one binary predicate symbol, four unary predicate symbols, and a fixed finite 
number of propositions, and which contains no functional symbols at all. 
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(b) and the undecidability of the 3-free Horn fragment of monadic affine logic, 
which involves only one “zero” and one “successor”, two unary predicate sym- 
bols, and a fixed finite number of propositions. 
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Abstract We introduce the calculus of structures; it is more general than the 
sequent calculus and it allows for cut elimination and the subformula property. 
We show a simple extension of multiplicative linear logic, by a self-dual non- 
commutative operator inspired by CCS, that seems not to be expressible in the 
sequent calculus. Then we show that multiplicative exponential linear logic ben- 
efits from its presentation in the calculus of structures, especially because we 
can replace the ordinary, global promotion rule by a local version. These formal 
systems, for which we prove cut elimination, outline a range of techniques and 
properties that were not previously available. Contrarily to what happens in the 
sequent calculus, the cut elimination proof is modular. 



1 Introduction 



The sequent calculus [5] is very appropriate for classical logic, but it has some problems 
in dealing with more refined logics like linear logic [6]. Observing certain logical 
relations in the sequent calculus might be impossible. In this paper we show a calculus, 
called the calculus of structures, which is able to overcome those difficulties. 

We call calculus a framework, like natural deduction or the sequent calculus, for 
specifying logical systems. We say formal system to indicate a collection of inference 
rules in a given calculus. A derivation is a composition of instances of inference rules, 
a proof is a derivation free from hypotheses. 

A proof in the sequent calculus is a tree, and branching occurs when two-premise 
rules are used. The two branches are statements that proofs exist for both premises. 
At the meta level, we say that the left branch is a proof and the right branch is a 
proof. In classical logic, this ‘and’ corresponds to the ‘and’ at the object level. This 
is not the case in other logics, like in linear logic. 

Another founding property of the sequent calculus is the pivotal role of main 
connectives. Given a main connective in the conclusion, a rule gives meaning to it 
by saying that the conclusion is provable if subformulae obtained by removing the 
connective are in turn provable. 

These two properties together have remarkable success in making the study of 
systems independent of their semantics, which is important if a semantics is incom- 
plete, missing or still under development, as often happens in computer science. The 
problem is that the sequent calculus is unnecessarily rigid for some logics. We can 
relax the ‘and’ branching between premise trees, and abandon the decomposing of the 
conclusion around the main connective of one of its formulae. The question is whether 
we can do so while keeping the good properties, cut elimination especially. 

The calculus of structures draws from a very simple principle, which is very 



dangerous if not realised with care. The inference rules are of the kind p 



S{T} 



where 



premise and conclusion are structures, i.e., formulae subject to certain equivalences 
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(associativity, commutativity, units, ...). A structure is a structure context 

S'! }, whose hole is filled by the structure R. The rule scheme p above specifies that 
if a structure matches R, in a context S{ }, it can be rewritten as specified by T, in 
the same context S'! } (or vice versa if one reasons top-down). A rule corresponds 
to implementing in the formal system any axiom T => R, where ^ stands for the 
implication we model in the system. The danger lies in the words ‘any axiom’. 

In fact, rules could be used as axioms of a generic Hilbert system, where there 
is no special, structural relation between T and R. But then all the good proof 
theoretical properties would be lost. Our challenge is to design inference rules in a 
way that is conservative enough to allow us to prove cut elimination, and such that 
they possess the subformula property. Still we have to be liberal enough to overcome 
the problems of rigidity mentioned above. 

It is important to note that the calculus of structures is more general than the 
sequent calculus, for logics with De Morgan rules. Any system that admits a one-sided 
presentation can be ported, trivially, to the calculus of structures. But, since we can 
do more, we want to use the new expressive capabilities to get new logics, or to make 
old logics better. We will do both things in this paper (without paying a big price). 

S{T} , , S{R} ^ 

Rules come in pairs, p[ ^ ^ (down version) and p) ^ (up version), where 



S{R} 



S{T} 



U is the negation of U and S stands for any context. This duality derives from 
the duality between T => R and R => T. We would like to dispose of the up rules 
without afi'ecting provability — after all, T => R and R=> T are equivalent statements 
in many logics. The cut rule splits into several up rules, and this makes for a modular 
decomposition of the cut elimination argument, since we can get rid of up rules one 
after the other. This is one the main achievements of our paper (in [7], p. 15, Girard 
deems as ‘rather shocking’ this lack of modularity in the sequent calculus). 



Derivations in the calculus of structures are chains of instances of rules. Con- 
trarily to what happens in the sequent calculus, whose derivations are trees, our deri- 
vations have a top-down symmetry. This allows for new manipulations of derivations. 
For example, permuting down certain rules, like the cut, is easier than in the sequent 
calculus; entire derivations may be flipped upside down and negated and they still are 
valid derivations; and so on. The most important consequence of the new symmetry 



S{{R, R)} 

is that the cut rule i) — — becomes top-down symmetric to the identity rule 



li 



S{1} 



S{[i? R]} [-^>^1 denote the conjunction and the disjunction of 

R and T, and 1 and T are the conjunctive and disjunctive units). It is then possible 

5{(a, a)} 

to reduce the cut rule to its atomic variant a j — — , the same way as identity can 



be just required for atoms in most systems in the sequent calculus. The reduction of 
cut to its atomic form simplifies the cut elimination argument, since there is no more 
interaction between a cut’s principal formula and the structure of the proof. 

We believe that the development of a calculus must be driven by its systems. 
Here we develop two systems inside the calculus of structures. The first one, in 
Sect. 2, is system BV (Basic system V) [8]. It is equivalent to multiplicative linear 
logic plus mix, extended by a non-commutative self-dual operator. System BV is 
motivated by the desire to grasp a sequential operator, like that of CCS [12], in a 
logical system, especially from a proof-search perspective. The logic obtained seems 
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not to be expressible in the sequent calculus, certainly not in a simple way, while in 
our calculus it is straightforward. System BV is just a first, but crucial step toward a 
logical system encompassing languages of distributed computation. The methodology 
for designing systems, induced by the calculus of structures, is outlined in that section. 

We start from a very simple observation. A basic reaction in CCS is a| d — > 0: the 
two parallel processes a and a communicate and rewrite to the empty process 0. This 
naturally corresponds to the identity axiom in logic, if we express complementation 
in CCS by negation; the parallel composition ‘|’ corresponds to disjunction (linear 
logic’s multiplicative disjunction corresponds remarkably well, see for example [10]). 
Consider now sequential composition, as in the process a.b: the dual of this process 
must be a.b = a.b, since a.b \ a.b 0. Then, we need a self-dual non-commutative 
logical operator for modelling sequential composition. We are not committing to CCS; 
we just observe that, as witnessed by CCS, there is a natural way of seeing parallel 
and sequential compositions in a logical system. 

In Sect. 3 the system ELS (multiplicative Exponential Linear logic in the calculus 
of Structures) is shown [16]. A first reason to study this system, which is equivalent 
to sequent calculus’s MELL, is to see how our calculus performs on a system that is 
studied already elsewhere. We get a surprising result: the promotion rule can be made 
local, what is unlikely in the sequent calculus. 

There is another reason for studying MELL in our calculus: we plan to enrich 
BV with contraction, in the hope of making it Turing equivalent. To this purpose, we 
need exponentials to control contraction, because we do not want to destroy the good 
behaviour of multiplicative disjunction with respect to parallel composition (what is 
known as ‘resource sensitivity’). 

For both systems BV and ELS we state decomposition theorems', rules in deriva- 
tions can be rearranged in a highly structured way (impossible in the sequent calculus) 
where subsystems of a given system are applied in sequence. Decomposition results 
allow us greatly to simplify the cut elimination proofs and are (still mysteriously) 
linked to other features of the systems under study. These theorems are welcome 
because proving cut elimination in the calculus of structures can be harder than in 
the sequent calculus, due to the more liberal applicability of inference rules. 

We also prove cut elimination for both systems, and, overall, the argument 
is quite different than the usual one in the sequent calculus. Exploring the new 
methodology is by itself interesting, because there is the possibility of characterising 
the property of cut elimination in a more systematic way than before. 

This paper only deals with syntax: our sole purpose is to present the calculus of 
structures and its properties. MELL is, of course, semantically well-known, and then 
so is ELS. System BV has been discovered by trace semantics [8]. 



2 Non-commutativity 

A system in our calculus requires a language of structures. These are sort of inter- 
mediate expressions between formulae and sequents. Here we define the language for 
systems BV and SBV, and we call it BV. Intuitively, [^i, . . . , S';!] corresponds to a 
sequent in linear logic, whose formulae are connected by pars, and associativity and 
commutativity are taken into account. The structure (5i , . . . ,Sh) corresponds to the 
times connection of S'!, ..., Sh', it is associative and commutative. The structure 
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{S\; . . . ; Sh) is associative and non-commutative: this corresponds to the new logical 
relation we introduce. All the details for this section can be found in [8]. 

2.1 Definition There are infinitely many positive literals and negative literals. Lit- 
erals, positive or negative, are denoted by a, 6, ... . Structures are denoted by S, P, 
Q, R, T, U and V. The structures of the language BV are generated by 

5::=a|o| , 

>0 >0 >0 

where o, the unit, is not a literal; [Si, . . . , Sk] is a par structure, (Si, . . . , Sh) is a 
times structure and (Si; . . . ; Sh) is a seq structure; S is the negation of the structure 
S. Structures with a hole that does not appear in the scope of a negation are denoted 
by S{ }. The structure i? is a substructure of S{77}, and S{ } is its context. We 
simplify the indication of context in cases where structural parentheses fill the hole 
exactly: for example, S[J?, T] stands for S{[i?, T]}. 

Structures come with equational theories establishing some basic, decidable al- 
gebraic laws by which structures are indistinguishable. There is an analogue in the 
laws of associativity, commutativity, idempotency, and so on, usually imposed on se- 
quents. We will see these laws together with the inference rules. It would be possible, 
of course, to introduce the equational laws by inference rules. But, having dropped 
connectives, our choice makes matters much clearer. 

The next step in dehning a system is giving its inference rules. The following 
definition is general, i.e., it holds for any system, not just BV. 

T 

2.2 Definition An [inference) rule is any scheme p — , where p is the name of the 

R 

rule, T is its premise and R is its conclusion. Rule names are denoted by p and tt. 
A [formal) system, denoted by =5^, is a set of rules. A derivation in a system ,5^ is a 
hnite or inhnite chain of instances of rules of and is denoted by A. A derivation 
can consist of just one structure. The topmost structure in a derivation, if present, is 
called its premise; if present, the lowest structure is called conclusion. A derivation 

T 

A whose premise is T, conclusion is R, and whose rules are in is denoted by 

S{T} R 

A typical rule has shape p — - — - and specihes a step of rewriting, by the impli- 
S{R} 

cation T => R, inside a generic context S{ }. Rules with empty contexts correspond 
to the case of the sequent calculus. It is important to note that the notion of derivation 
is top-down symmetric. Logical axioms for the given systems will be given separately 
from the rules. They will induce the concept of proof, and their introduction is our 
way of breaking the symmetry and observing the usual proof theoretical properties, 
like cut elimination. We will be dealing with proofs only later in the section. 

Let us see a system that deals with the new non-commutative logical relation. 
It is made by two sub-systems; one for interaction and the other for structure. The 
interaction fragment deals with negation, i.e., duality. It corresponds to identity and 
cut in the sequent calculus. In our calculus these rules become mutually top-down 
symmetric and both admit decompositions into their atomic counterparts. 

The structure fragment corresponds, mainly, to logical rules in the sequent cal- 
culus; it defines the logical relations. Differently from the sequent calculus, the logical 
relations need not be dehned in isolation, rather complex contexts can be taken into 
consideration. In the following system, as well as in the system in the next section, 
we consider pairs of logical relations, one inside the other. 
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Associativity 


Conunntativity 




[R, [f]] = [R,f] 


[R,f] = [f,R] 




(R, (T)) = (R,T) 


(R,T) = iT,R) 




(R-, {T)-U) = {R-,T-U) 


Negation 




Unit 


0 = 0 




[o,R] = [i?| 


II 

CC 


,Rh) 


(o,i?) = (i?) 


(Ri , . . . , Rh) = [Ri, ■ ■ 


, Rh] 


(o-R) = (R-,o) = (R) 


II 

Ce 

tti 


; Rh) 


Singleton 


R = R 




[R] = (R) = {R) =R 


Contextnal Closure 




if i? = r then S{R] = 


S{T} 




qi 



structure (core) 

_ J([R,T],U) 

^S[(R,U),T] 

S{[R,T]-,lR',r]) 
S[{R; R'),{T-T’)] 



qT 



S{{R,R'y,{T,T')) 



Fig. 1 Left: Syntactic equivalence = for BV Right: System SBV 



2.3 Definition The structures of the language BV are equivalent modulo the rela- 
tion =, defined at the left of Fig. 1. There, R, T and U stand for finite, non-empty 
sequences of structures (sequences may contain or separators as appropriate in 
the context). At the right of the figure, system SBV is shown (Symmetric, or Self- 
dual, Basic system V). The rules aj,, at, s, qj, and qj are called respectively atomic 
interaction, atomic cut (or atomic cointeraction), switch, seq and coseq. The down 
fragment of SBV is {a].,s,qj,}, the up fragment is {a'[',s,q'|'}. 

Negation is involutive and can be pushed directly over atoms. The unit o is self- 
dual and common to the three logical relations. One may think of it as a convenient 
way of expressing the empty sequence. Of course, rules become very flexible in the 
presence of such a unit. For example, the following notable derivation is valid; 

. {opb) ((a;o),(o;b)) 

(a;&) ^ 

[a, &] ^ [(a;o), (o;6)] 

Flere is a derivation for the CCS reaction a.b \ d.h — >* 0: 






qi 



[b, b] 



([a, a]; [b, b]) 



[(o; b),{a;b)] 

Please note that [(a; b), (b; a)] admits no derivation where both [a, d\ and [b, b] inter- 
act. As the reader may notice, the correspondence with CCS is truly straightforward. 
The instance of the rule q J, above can not be expressed in the sequent calculus, because 
1 there should be two premises h a, d ‘and’ h b, b, but we would have big problems 
with cut elimination, essentially because ‘and’ is too strong; 



2 there is no principal connective in the conclusion, rather there are two of them 
to be considered together, namely, the two seq relations between a and b and 
between d and b. 



We do not mean that similar logics cannot be expressed in any other calculus. For 
example. Retore does it in [13, 14], in proof nets. His logic is very close to ours. 



Non-commutativity and MELL in the Calcnlns of Strnctures 



59 



possibly the same, but the exact correspondence is at present unknown. None has 
been able to define in the sequent calculus a self-dual non-commutative relation that 
lives with commutative ones. We should mention the work [2, 15] by Abrusci and 
Ruet: they mix commutative and non-commutative relations in a sequent system, but 
instead of one self-dual sequential connective, they have two mutually dual ones. 

A way of understanding the rule s is by considering linear logic’s times rule 
hA.<l> \- 

(8) . This rule is mimicked by 

\- B $ 

® ’ ’ J[Ra,T^],[Ub,V^]) 

" [{[Ra,T^],Ub),V^] 

[{Ra,Ub),T^,V^] ’ 

where Ra, Ub, Tp and correspond to the formulae A, B and the multisets of 
formulae and 'B. The two s instances could be swapped: the substructures in the 
par context can be brought inside the times structure independently. We have no 
combinatorial explosion in the splitting of a times context [9, 11], which depends 
on the impossibility, in the sequent calculus, of representing the middle structure in 
the derivation above. In fact, the lazy splitting algorithm of ]9] is here represented 
naturally and simply. 

System SBV is designed to ensure the subformula property: all the rule premises 
are made of substructures of the conclusions, except for the cut rule. This is of course 
a key ingredient in consistency arguments, and a basis for proof search. 

2.4 Definition The following rules are called interaction and cut (or cointeraction): 



a 



5{o} 



S[R,R] 

R and R are called principal structures. 



and 



S{R,R) 

S'{o} 



The sequent calculus rule cut - 



\- A.$ \- A^.'I' 



\- 



is realised as 



{[Ra,T^],[Ra,V^]) 
[{[Ra,T^],Ra),V^\ 
[(R^, Ra),T^, V®'] 



The next theorem states the reduction of the interaction rules to atomic form. 

2.5 Definition A rule p is strongly admissible for the system 5^ li p ^ 5^ and for 

every instance p — there exists a derivation The systems 6A and 5^ are strongly 

^ ^ R ^ 

equivalent if for every derivation ||.s^ there exists a derivation and vice versa. 

R R 

2.6 Theorem The rules IJ, and l| are strongly admissible for the systems {a |, s, q|} 
and {a| , s, q'j'}, respectively. 

Proof Structural induction on the principal structure. We show the inductive cases of if: 



qT 

d 



S({P-,Q),{P-,Q)) 

s(iP,py,iQ,Q)) 



S{P,Q,[P,Q]) 
' S(Q,[{P,P),Q]) 
' S[(P,P),{Q,Q)] 



d 



S(Q,Q) 

S{o] 



and 



d 



S{Q,Q) 

S{o] 
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2.7 Definition We call core the set of rules, different than atomic (co)interaction 
ones, that appear in the reduction of interaction and cut to atomic form. Rules, other 
than (co)interactions, that are not in the core are called non-core. The core of SBV is 
{s,qj.,qt}, called SBVc; there are no non-core rules in SBV. 

2.8 Remark Let p be a rule and tt be its corule, i.e., tt is obtained by swapping 
and negating premise and conclusion in p. The rule tt is then strongly admissible for 



the system {i|, 1 ^, 5 , p}, because each instance tt 



a 



S{T} 



S{T} 

S{R} 



iT 



S{T,[R,R]) 
' S[R, (T,R)] 

' S[R, (T,f)] 
S{R} 



can be replaced by 



The main idea for getting decomposition and cut elimination theorems is study- 
ing the permutability of rules. To get a decomposition theorem, instances are moved 
up or down along the derivation until a certain scheme is obtained. To get cut elim- 
ination, ‘evil’ rules, corresponding to cuts to be eliminated, are permuted up a proof 
until they reach the logical axiom and disappear. q q 

TT — p — 

. . A U V 

2.9 Definition A rule p permutes over tt if p ^ tt and for all p — there is tt — , for 

Q P P 

some V; if \\.yu{Tr} exists, for some system we say that p permutes by .5P over tt. 
P 



In the sequent calculus, identity rules are leaves of the derivation trees, of course. 
They can be put at the top in our calculus, too, but the dual is also true of cuts: they 
can be driven down with no effort. Here is the decomposition theorem. 



T 



II 1=11 



T Q 

2.10 Theorem For every derivation ||sbv there is a derivation ||sbvc , for some 

R P 



structures P and Q. 



II 1=11 

R 



Proof The rule aj, permutes over a| and permutes by SBVc over s, qj, and q|. Take the 
topmost instance of a], and move it upward until it reaches the top. Proceed inductively 
downward by moving up each aJ, instance until only aJ, instances are above it. Perform 
dually for a|. □ 



Derivations are reduced to three-phase ones: a ‘creation’ phase, a middle phase 
where atoms are shuffled by rules in the core, and a ‘destruction’ phase. 

It is time to break the top-down symmetry by making asymmetric observations: 
we want to detect proofs. To do so, we admit inference rules with no premise, called 
logical axioms. For SBV we have: 

2.11 Definition The following (logical axiom) rule is called unit: o| . The sys- 

tem in Fig. 2 is called BV (Basic system V). 
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S{o} _^ S([R,T],U) S{[R,T]-,[R',T']) 



Fig. 2 System BV 



2.12 Definition A proof, denoted by U, is a finite derivation whose top is an instance 

of a logical axiom. A system proves R if there is in a proof 77 whose conclusion 
is R, written A rule p is admissible for the system ii p ^ and for every 

R 

proof there exists a proof Two systems are equivalent if they prove the 

R R 

same structures. 

To get cut elimination, so as to have a system whose rules all enjoy the subfor- 
mula property, we could just get rid of a j, by proving its admissibility for the other 
rules. But we can do more than that: the whole up fragment of SBV, except for s 
(which also belongs to the down fragment), is admissible. This suggests a modular 
scheme for proving cut elimination, which, as a matter of fact, scales up to the much 
more complex case of MELL, in Sect. 3: 

1 rules in the non-core up fragment of the system are trivially admissible for the 
core, plus interaction and their (down) corules (see 2.8); 

2 prove admissibility for the up rules in the core; 

3 show admissibility of a|. 

The decomposition into several up rules is very beneficial when systems are extended; 
the cut elimination proof of the smaller system can be largely reused for the bigger 
one, since it relies on mutual permutability of rules. (There are no non-core rules in 
SBV, we will see the general case in Sect. 3.) 

We have to prove the equivalence of SBV U {oj.} and BV. The first step is to 
show the admissibility of q|. The proof of the theorem outlines our typical technique, 
which uses super rules to keep track of the context while permuting up a rule to be 
eliminated. 

2.13 Theorem The rule qj is admissible for BVU{a|}. 

Proof The rule q| can be generalised by a certain rule m| (called comerge and derived 
from semantics); m| permutes by {s, qj,} 
transformed into 



YBVU{qT} 

P 

|{=T} 

R 



where the top instance of q| has been called m|. The m| instance can be permuted up until 
it disappears against of. Repeat inductively downward for all q| instances. □ 

The last step is getting rid of the a| instances. 



af, s and qf. By 2.10 a given proof can be 




I SBVc ’ 

P 

|{«T} 

R 
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2.14 Theorem The rule at is admissible for BV. 

Proof Similar to the previous one. We need the following fact: In BV, replace s by the rule 



dsj. 



S{[R,T],U) 



[deep switch), where R is not a proper times structure (i.e., there are no 



S[{R, U),T] 

non-unit P and Q such that R = {P, Q)); the resulting system, called BVd, is equivalent to 
BV (the argument is not trivial) . Transform the upper BV portion of the given proof into a 

S(i?{a},r{a}) 

BVd one. Then drive up the topmost at instance by using the super rule sat , 

S[R{o},T{o}] 



which permutes by {s,q|} over aj., dsj, and qj,. The two aj, instances that apply to the 
principal literals created by the a| instance must be permuted up preliminarily, until they 
reach the top of the proof. Proceed inductively downward. □ 

This completes the proof of cut elimination. The strategy we followed is com- 
pletely deterministic, so the procedure is confluent. 

Here comes consistency; a similar argument, exploiting the top-down symmetry, 
becomes hard in the sequent calculus, due to the difficulty in flipping derivations. 
2.15 Theorem If R is provable in BV then R is not provable, provided R ^ o. 



of 

o 

[a,aj ^ 

Proof A proof of R is like ||ev. Get ||sbv by flipping the given proof. If R is provable, 

R {a,d) 

then (a, 5) is provable in SBV U {oj.} and, by 2.13 and 2.14, in BV: impossible. □ 

2.16 Remark If we restrict BV by disallowing seq structures, we get a system equiv- 
alent to MLL (Multiplicative Linear Logic) plus mix and nullary mix [1]. The proof 
of this is very similar to the proof of 3.12. 

Systems equivalent to MLL with constants and without mix can be easily de- 
signed in our calculus, but they are not extensible to seq. Other reasons for collapsing 
the constants into o come from external semantic arguments (see [8]). 



3 Multiplicative Exponential Linear Logic 

All general notions from Sect. 2 apply here. In the following, only what changes in 
the systems for MELL is defined. The main differences between our presentation and 
the sequent calculus one are: rules apply anywhere deep into structures, the switch 
rule replaces times, the promotion rule is decomposed into a local variant. Details can 
be found in [16]. 

3.1 Definition We denote by MELL (Multiplicative Exponential Linear Logic) the 
system in the sequent calculus whose formulae are generated by 

A\-.= a \ T\l\ A \ A® A\TA\^.A \ A-^ , 

whose sequents are expressions of the kind 

^ Ai,. Ah , for h ^ 0 , 

where the commas between formulae stand for multiset union, and whose rules are 
shown in Fig. 3. Formulae are denoted by A and B, multisets of formulae by and 
T. Negation obeys De Morgan rules. 

Let us define the language of structures ELS (multiplicative Exponential Linear 
logic in the calculus of Structures). The multiplicatives are denoted as in Sect. 2; for 
the exponentials we use ? and !. Structures of ELS and formulae of MELL are in a 
trivial, mutual correspondence. 
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3.2 Definition The strnctnres of ELS are generated by 

S::=a|T|l| [£^_^]|(£^_^)|?5|!S|S , 

>0 >0 

where T and 1 are units; [S', . . . , S'] is a par structure, (S, . . . , S) is a times structure; 
?S is a why-not structure and IS is an of-course structure; S is the negation of S. 

3.3 Definition The fnnctions ^ and • from formulae to structures and vice versa, 
are as follows: 

a = a , a = a , 



± =± 

S 

1 = 1 
— s 

B = [A 



A® B_ 

M. 

!A 

A~' 



- a . 

= 

= !A 

S 

= A~ 



where h > 0. The function 



, [Ri,...,Rh] ^ = Ri^ ’8---^Rh, 

, {Ri,...,Rh) , = Ri, ®)---®>Rh, 

, TR =TR , 

L L 

, , 

R^ = {R^)^ , 

extends to sequents by E = T and 



E Ai, , Afi^ — [Ai 



for h > 0 



It would be entirely possible to take MELL as presented above and transport it 
trivially into the calculus of structures. At that point, all of the proof theory possible 
in the sequent calculus would still be possible in our calculus. Instead, we collapse 
dereliction (dr) and contraction (ct) into absorption (which is a known, easy trick) 
and use the peculiarities of the calculus of structures to deal differently with times 
(®) and promotion (pr). This way we get new properties. 

3.4 Definition The structures of ELS are considered equivalent modulo the relation 
=, defined at the left of Fig. 4. There, R and T stand for finite, non-empty sequences 
of structures. At the right of the figure, system SELS is shown (Symmetric, or Self- 
dual, multiplicative Exponential Linear logic in the calculus of Structures). The rules 
a]., at a-nd s are called, as in system SBV, atomic interaction, atomic cut (or atomic 
cointeraction) and switch. The rules p|, wj, and b| are called, respectively, promotion, 
weakening and absorption, and their corules get a prefix co- before their name. The 
down fragment of SELS is {a|, s, p|, w|, b|}, the up fragment is {a|, s, p|, w|, b|}. 

The reader can check that the equations in Fig. 4 are equivalences in MELL. 

3.5 Definition The following rules are interaction and cut (or cointeraction); 



ij. 



^{1} 

S[R,R] 



and 



iT 



S{R, R) 
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Associativity 




Commutativity 




[R, [f]] = [R,f] 




[R, f] = [f, R] 




{R, {T)) = {R,T) 




(R,T) = (T,R) 




Units 




Negation 




[±,R] = [iJ] 




R = R 




(1,R) = {R) 




1 = 1 




Singleton 




I = T 




[Ri, 


. . . , Rh] = (.Ri, . . 


.,Rh) 


[H] = (if) = H 


(Ri, 


. . . , Rh) = [Ri, . . 


.,Rh] 


Exponentials 

± 

!1 = 1 




7R=\R 
TR= ?R 
R = R 




77R = 7R 




Contextual Closure 


\\R = \R 


if R 


= T then S{R} = 


S{T} 



S{1} ^S(a,a) 

a 1 at 

S[a,a] S{±} 

Interaction 

Structure 

'SI(E,U),T] 

S(yR,iT) 

5[!iJ,?T] 5{7(i?,T)} 



core 

non-core 



S{T} 


, sm 

wT 

5(1} 


S[?i?, iJ] 


bt 



S{?R} 



Fig. 4 Left: Syntactic equivalence = for ELS Right: System SELS 



, S{1} S{[R,T],U) ,Sm,T]} , S{±} 

— a s D w b 

1 S[a,a] S[{R,U),T] S[!iJ,?T] S{?i?} 



Fig. 5 System ELS 



Like for system SBV, we have the following two propositions, which say: 1) the 
general interaction and cut rules can be decomposed into their atomic forms; 2) the 
cut rule is as powerful as the whole up fragment of the system, and vice versa (and 
the same holds for the interaction rule with respect to the down fragment). 

3.6 Proposition The rules i| and ij are strongly admissible for systems {a|,s, pj} 
and {at, s, pf}, respectively. 

Proof Similar to the proof of 2.6. □ 

3.7 Proposition Every rule p] in system SELS is strongly admissible for the system 

{'i, iT,s,pi}. 

Proof See 2.8. □ 

3.8 Definition The core of SELS is the system {s, p{, p|}, denoted by SELSc. 

3.9 Definition The following (logical axiom) rule is called one: 1{ . 

As we did in Sect. 2, we put our logical axiom into the down fragment of SELS. 

3.10 Definition System ELS is shown in Fig. 5. 

As a quick consequence of 3.6 and 3.7 we get: 

3.11 Theorem ELSU{it} and SELS U{lt} are strongly equivalent. 
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The system SELSU{lJ,} is equivalent to MELL: 

3.12 Theorem If R is provable in SELSU {li} then h is provable in MELL, and 
if [- $ is provable in MELL then h is provable in SELSU {Ij,}. 



S{T} I 

Proof For every rule p — - — - in SELS the sequent h (T ) ,R is provable in MELL. Then 
S{R} — 

the sequent h (S{T}f)^,S{R}^ is provable. Use this and cut 

SELSU{U} 



^ g{T}, L( 5{r}, )^,5{fl}, 

^ S{R} . 



inductively over a given proof p — - — - . Conversely, given a proof in MELL, transform it by 

an easy induction, proceeding from its root, into a proof in SELS U {li}. We only show the 
case of promotion, where the derivation A exists by induction hypothesis: 




Zi||SELS 

pi 



□ 

An argument along these lines shows that for every cut free proof in MELL we 
can obtain a proof in ELS. Therefore, it is admissible for ELS, by the cut elimination 
theorem for MELL [6]. In other words, the whole up fragment of SELS is admissible 
for ELS. However, we obtain this result for the calculus of structures by using the 
sequent calculus. Since we want to use our calculus for logics that cannot be captured 
by the sequent calculus, we must be able to prove cut elimination within our calculus, 

with no detour. The first step is a decomposition theorem. y 

Ti 

I {>"1} 

T2 
I {=1} 

T Ts 

3.13 Theorem For every derivation ||sels there is a derivation ||selsc , for some 

R i?3 

1 1 = 1 } 

R 2 
I {™T} 

Ri 

||{bi} 

structures Ri, R 2 , R 3 , T^, T 2 , T^. 

Proof The decomposition is done in three steps: b| and bj, instances are separated, then 
wj, and w|, and then aj, and a|. The first step is very difficult (see [16]), the other two are 
rather trivial. □ 

If we just consider proofs instead of derivations, all top instances of b| become 
trivial: their premises and conclusions are equal to 1. Moreover, all wj instances can 
be removed by using 3.7 and 3.6. 
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3.14 Theorem For every proof ^SEi.su{ii} there is a proof 

R 



tures Ri, R 2 , R 3 , Ra- 

Proof It is a trivial variation of 3.13. 
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The decomposition theorem is of great value for the cut elimination proof, be- 
cause all instances of b| are already below the instances of pt and a| that have to be 
eliminated. This means that we do not have to deal with absorption (nor contraction), 
which are known to be most problematic in a cut elimination proof. 

3.15 Theorem The systems SELSU {!)} and ELS are equivalent. 

Proof The proof is similar to that for BV: we eliminate in order w|, b|, p| and a|. For w| 
and bf we use 3.14. For af and p| we use the super rules: 



saT 



5([g,P], [g,Q]) 

S[P,Q] 



and 



S[-!{R,T),P,Q] 



We also need the rule rj. and its super corule sr|: 



s[?p,?r] 



and 



5([!P,P],[!T,Q]) 

S[!(P,T),P,Q] 



We then use the rule ns| (non- deep switch) which defines all instances of s that are not 
instances of dsj, (see 2.14). Fig. 6 shows the steps of the transformation. We start from a 
decomposed proof produced by 3.14. Then we replace all instances of s either by dsj or ns|, 
and all instances of p| and a| by sp| and sa|, respectively. While permuting up the rules 
ns| and spt over dsj, and pj, in Step 2, the rules srj and r[ are introduced. In Steps 3 and 4, 
the rules ns|, sp| and sr|, and then the rule r], are eliminated. In the last step the rule sa| 
is eliminated. □ 
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4 Conclusions and Future Work 

We have shown, in the calculus of structures, the system BV, which is an extension of 
MLL (Multiplicative Linear Logic) and which is not expressible in the sequent calculus 
in any known way. Research is currently going on finally to prove that it is impossible 
to capture BV in the sequent calculus. System BV is interesting for computer science 
because it models a typical notion of sequentialisation. We then extended MLL to 
MELL in our calculus, and we got a system whose promotion rule is local, as opposed 
to what is possible in the sequent calculus, where promotion is global. The new system 
does not present unnecessary non-determinism in dealing with the times connective. 

The question is whether a new calculus is justified, given that the competition 
is the venerable sequent calculus. We answer yes for the following reasons: 

1 Simplicity: The calculus of structures is more general than the sequent calculus 
(for logics with involutive negation), but is not more complicated. The case 
of multiplicative exponential linear logic shows that a simple system, deeply 
different than MELL, can be designed. System BV yields with very simple 
means a logic that defeats sequent calculus. 

2 Power: The calculus of structures unveils properties and possibilities of analy- 
ses, like decomposition, that are not available in the sequent calculus. 

3 Modularity: Proving cut-elimination is modular: if one enlarges a system, the 
work done for the smaller system can be used for the new. Moreover, the cut 
elimination argument for any given system is decomposed into separate pieces. 
This stems from the possibility of dealing with cut the same way we could with 
identity in the sequent calculus: our calculus makes use of a new symmetry. 
One reason for these achievements is the applicability of rules deeply into struc- 
tures, which allows for a lazy bookkeeping of the context. For example, the times rule 
in the sequent calculus must make an early choice of the splitting of its context, which 
is not the case in our calculus. The same happens with promotion: pieces of context 
can be brought inside the scope of an of-course one by one. 

Another reason behind our results is the dropping of the idea of connective. In 
the calculus of structures, instead of defining connectives, rules define mutual relations 
of logical relations. Typical rules in the up fragment of a system are not definable in 
the sequent calculus, yet they are just simple duals of ordinary sequent calculus rules. 
Without much complication, we can then decompose the cut rule into its atomic form, 
which is the key to modularity. 

One possible problem with our calculus is that, since rules apply anywhere deep 
into structures, proof search can be very non-deterministic. Research is in progress in 
our group to focus proofs not only along lines induced by the logical relations [3, 11], 
but also based on the depth of structures. 

Classical logic is also studied. One can easily port ‘additive’ rules to our calculus, 
but the question, again, is whether we can get decomposition and a modular cut 
elimination proof. Recent work, in preparation, by Briinnler and Tiu, shows that 
classical logic enjoys a presentation whose rules are all local, and cut is admissible [4j. 

The next step will be to bring exponentials (and contraction) to system BV. 
The experiment performed in this paper shows that the operation is entirely practical 
in our calculus, and it would yield better results than proof nets [13, 14], which 
have notorious difficulties with exponentials. The resulting calculus will be Turing 
equivalent. Our hope is that MELL will be proved decidable (the question is still 
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open): if this happened, it would mean that the edge is crossed by our self-dual 
non-commutative logical relation (the tape of a Turing machine?). 

Finally, we have a further prototype system, inspired by traces [8] , in which also 
the contraction rule is atomic. We are not able yet to prove cut elimination for it. If 
we were successful, we would obtain a totally distributed formalism, in the sense of 
computer science, which would also be a first class proof theoretical system. 
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Abstract. The multiplicative fragment of Non commutative Logic (cal- 
led MNL) has a proof nets theory [AROO] with a correctness criterion 
based on long trips for cut-free proof nets. Recently, R.Maieli has devel- 
oped another criterion in the Danos-Regnier style [MaiOO]. Both are in 
exponential time. We give a quadratic criterion in the Danes contractibil- 
ity criterion style. 



1 Introduction 

Non commutative Logic (NL) is a unification of linear logic [Gir87] and cyclic 
linear logic [Gir89,Yet90,Abr91] (a classical conservative extension of the Lambek 
calculus [Lam58]). It includes all linear connectives: multiplicatives, additives, 
exponentials and constants. Recents results [AR00,Rue00,MR00] introduce proof 
nets, sequent calculus, phase semantics and all the importants theorems like cut 
elimination and sequentialisation. The central notion is the structure of order 
varieties. Let a be an order variety on a base set X U {x}, provided a point of 
view (the element x) a can be seen as a partial order on X. Order varieties can 
be presented in different ways by changing the point of view and are invariant 
under the change of presentation: one uses rootless planar trees called seaweeds. 
Thus this structure allows focusing on any formula to apply a rule. 

Proof nets are graph representations of NL derivations. Then a proof net with 
conclusion A is obtained as an interpretation of a sequent calculus proof of A: 
we say that it can be sequentialized. But the corresponding cut-free derivation 
of the formula A is not unique in general. It introduces some irrelevant order 
on the sequent rules. For instance, a derivation II ending with h A^B,C^D 
implies an order on the two rules introducing the principal connectives of A^B 
and C^D, but the proof net corresponding to II does not depend on such order. 

A contracting proof structure is a hypergraph built in accordance with the 
syntax of proof nets and seaweeds. A proof structure is a particular contracting 
one. To know if a such structure is a proof net or not, we use a correctness 
criterion. The Maieli one is in the Danos-Regnier criterion style: at first it uses 
a switching condition and tests if we obtain an acyclic connected graph. Then 
for each V link, we check the associated order varieties. 

It is known that the proof nets of multiplicative linear logic have a linear 
time correctness criterion [Gue99]. The first step towards a linear algorithm is 
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to have a contractibility criterion (the Danos one [Dan90]) which can be seen as a 
parsing algorithm. One can reformulate it in terms of a sort of unification. Then 
a direct implementation leads a quasi-linear algorithm, and sharp study give the 
exact complexity. Up to now, there was no polynomial criterion for MNL. 

Here we present a set of shrinking rules for MNL proof structures charac- 
terising MNL proof nets as the only structures that contract to a seaweed. We 
show that this contractibility criterion is quadratic. This idea is extended by a 
presentation as a parsing algorithm. So this work criterion. 

Notations. One writes X l±l F for the disjoint union of the sets X and Y. Let w 
and r be orders respectively on the sets X and Y. Let x be in X. One writes 
w[r/x] the order on (X\{x}) U Y defined by u>[t/x]{i/, z) iff to{y, z) or r(j/, z) or 
to{y, x) if z €Y or oj(x, z) if y G Y. Let / and g be positive functions. One writes 
g(n) = 6>(f(n)) to denote that / = 0(g) and g = 0(f). 

2 Order Varieties 

2.1 Order Varieties and Orders 

Definition 1 (order varieties). Let X be a set. An order variety on X is a 
ternary relation a which is: 

{ cyclic: Vx, y,z G X, a{x, y, z) a{y, z, x), 

anti-reflexive: Vx, y G X, -ia(x, x, y), 

transitive: f/x,y,z,t G X,a{x,y,z) and a{z,t,x) ^ a{y,z,t), 

spreading: f/Xjy, z,t G X,a{x,y, z) ^ a{t,y, z) ora{x,t,z) or a{x,y,t). 



Definition 2 (series-parallel orders). Let oj and t he two partial orders on 
disjoint sets X and Y respectively. Their serial sum (resp. parallel sumj to < t 
(resp. to \\ t) is a partial order on X\JY defined respectively by: 

(w < r)(x, y) iff x y or X <r y or {x G X and y GY), 

(w II r)(x, y) iff x <,^y or X <r y. 

Definition 3 (closure). Let to = (X, <) he a partial order on X and z G X. 

Z Z 

Let < denote the binary relation: x < y iff x < y and z is comparable neither 
with X nor y. The closure of co is the ternary relation to on X defined by: 

uJ(x, y,z) iff X < y < z or y < z < x or z < x < y or 

z X V 

X < y or y < z or z < x. 

Facts 1. i) If a; is a partial order on X then u) is an order variety on X, 

ii) The closure identifies serial and parallel sums of partial orders on disjoint 
sets. 
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Definition 4 (gluing). Let to and r be two partial orders on disjoint sets X 
and Y respectively. The gluing of ui and t is the following order variety on 
X U Y: 

UJ*T = IjJ<T = Ijj\\t=T<UJ 



Definition 5. Let a he an order variety on a set X and x G X. The order ax 
induced by a and x is the partial order on X\{x} defined by: 

ax{y,z) iff a{x,y,z) 

One writes x for the unique partial order on {x}. 

Proposition 1. Let a he an order variety on a set X, x € X and uj he a partial 
order on X\{x}. Then 



ax * X = a and {u> * x)x = co 



Fact 2. Let a be an order variety on a non-empty set. a is series-parallel iff 
there exists a series-parallel order lo such that a = ui. In other words, series- 
parallel order varieties are exactly those can be represented by series-parallel 
orders. 



Definition 6 (seaweed). Let a = uj he a series-parallel order variety on X 
('^X >2) such that uj is written as a (non-unique) binary tree T with leaves 
labelled by elements of X, and root and nodes labelled by • (serial composition) 
or o (parallel composition). 

A seaweed S representing a is a rootless planar tree with leaves labelled by 
elements of X and ternary nodes labelled by • or o, defined by removing the root 
ofT: 

a = LU < T = UJ *T = UJ W T 



By convention orders are represented with top root and then seaweeds are 
oriented anti-clockwise: 




be be 



One extends the definition of seaweeds to the rootless planar trees on n-ary- 
nodes (n > 3). 
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Definition 7 (normal form). Let a he a series-parallel order variety. Let the 
seaweeds representing a be eonsidered modulo assocativity of o and •: there is 
not two nodes linked with a same label, and there is not binary or unary nodes. 
The equivalence class of such seaweeds modulo commutativity of o has a unique 
representative which is said in normal form. 

The uniqueness comes from the next proposition. 

Remark 1 . A seaweed is in normal form if it has n-ary nodes and verifies that all 
paths between two leaves are a sequence of alternate • and o nodes. Afterwards 
for a seaweed (not specially in normal form) we denote such alternate paths 
between arbitrary leaves x and y by the following figure: 

This notation does not presuppose that this alternate path starts by a *-node 
and finishes by a o-node. 

Example 1. Let a be the closure of [((a < 6) < c) || d] < [e || {f < {g < h) < f)]. 
Then the path between d and g is 




e / 



To be convenient we only use seaweeds in normal form. So o-nodes are com- 
mutative. When it is not ambiguous, we use an order variety instead of its 
representation. 



2.2 Seesaw and Entropy 

Definitions 8. Let to and r be series-parallel orders on a same given set. The 
equivalence relation seesaw is defined hyuj = T. The relation entropy ^ is defined 
by to ^ T iff u) C T and oJ Ct. 

Proposition 2. Ln the case of series-parallel orders, seesaw (resp. entropy) 
turns out to be the least equivalence (resp. the least reflexive transitive re- 
lation) given by: 



{lui II W2) (wi < W2) 



(resp. w[wi II UJ 2 ] ^ w[wi < W 2 ] ) 
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Facts 3. i) Entropy is a partial order, compatible with restriction and the 
serial and parallel sums of orders, 

ii) entropy between orders corresponds to inclusion of order varieties: let a and 
[3 be order varieties on X, and x G X, we have 

a C /3 iff ^ 

This is independent from the choice of x, 

iii) entropy is performed on seaweeds by changing some *-nodes into o-nodes. 



2.3 Wedge and Identification 

Definitions 9 (wedge). Let be a non empty family of partial orders on 

a same set. The wedge is the largest partial order (w.r.t. such that 



(A ^i) ^ iOi for all i G I. 

iei 



Let {api^i he a non empty family of order varieties on a set X. The wedge 



Aig/ is 



{/\{aP^)*x 

iei 



for an arhritrary x G X . 



Facts 4. i) Partial orders on a given set form a complete inf-semi-lattice for 
entropy and wedge, 

ii) the wedge is not intersection in general, 

iii) the wedge is not series-parallel in general, even if all Ui are series-parallel, 

iv) the wedge (partially) commutes with restriction: 

if y C \uji\ then (/\ w^) ( F Y), 

iei iei 

v) the two notions of wedge are related by: 

{/\ai)x = and { f\LOi) * x = * x) 

iei iei iei iei 

Definition 10 (identification). Let a he an order variety on a set X l±l {x} l±l 
{y}, and let z ^ X U {x,y}. The identification a[z/x,y] of x and y into z in a 
is the order variety defined by: 

a[z/x,y] = a tjcufx} {zfA A a fxu{y} \zlv\ 

Lemma 1. i) a\zjx,y\z * II y) ^ 
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ii) Let a be an order variety on X \ii {x} W {y} and u he a partial order on 
X such that ui * {x \\ y) Q a. Then to * {x \\ y) C a[z/x,y]z * (x || y), or 
equivalently 00 ^ o\zjx^y\z. 

Proof. See the proof of lemma 3.35 in [RueOO]. □ 

Definition 11. Let a he a series-parallel order variety represented by a seaweed 
S. We define the seaweed S{z/x,y) by the following sequence on the alternate 
path between x and y in S: 

L fisxy' transform every o-node belong the path between x and y. This is called 
“fission”: 




2. entxy’ apply entropy belong the path between x and y: 

3. assxy’ apply associativity belong the path between x and y: 

4ff3? ,:fiLy 

4- substitute z for x \\ y. 

Lemma 2. i) Ldentification in order varieties is monotonic (for the inclusion) , 
ii) If V denotes a map such that v{S) is the order variety corresponding to the 
seaweed S then, for S and T seaweeds, 

v{S)Cv{T) v{S{z/x,y)) Cv{T{z/x,y)) 

Proof. Let a and j3 be order varieties on a set X such that a C /3. We have 
Q.\zjx,y\ C (5\zlx,y\ i.e. identification is monotonic because the wedge is clearly 
monotonic. On the seaweeds, the only nodes which are different in the represen- 
tation of a and (3 are the o-nodes in the representation of a which correspond 
to *-nodes in the representation of (3. If so, 

— by definition, for all x,y € X, fisxy{a) and fisxy{(3) represent always the 
same included order varieties. 
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— all differents nodes on the path between x and y in entxy{fisxy{a)) become 
o-nodes and stay o-nodes in entxy{fisxy{P)), 

— all others are unchanged. 

Hence the order variety represented by entxy{fisxy{a)) is included in the one 
which is represented by entxy{fiSxy{P)) □ 

Proposition 3. Let a he a series-parallel order variety on a set X l±l {a;} l±l {y}, 
and let z ^ X U {x, y}. If the seaweed S represents a then the seaweed S{z/x, y) 
represents the identification a[z/x,y]. 

Proof. Using the notations of lemma 2, 

U) With the hypothesis, we have that a[z/x,y]z * {x || y) C a. Then by the 
previous lemma, 

v{{a[z/x,y]z * {x || y)){z/x,y)) C v{a{z/x,y)) 

So by definition of S{z/x,y), we obtain that 

a[z/x, y]z* z C v{a{zfx, y)) 

For all u € |a| * u = a, thus 

a[z/x,y] C v{a{z/x,y)) 

C) By definition, fisxy(cx) represents the same order variety as a and for all 
order variety P, v{entxy{P)) C p. Thus v{entxy{fisxy{a))) C a. Then we again 
have that v{S{z/x,y))z * {x |1 y) C a. Then by definition and as identification is 
monotonic we have 

v{S{z/x,y))z* zCa[z/x,y] i.e. w(S'(z/x, y)) C a[z/a;, y] 



□ 



3 MNL Proof Nets 

We restrict us to the multiplicative fragment of NL i.e. to the formulae built 
from atoms a, o'*",... , the commutative conjonction and disjonction (resp. ® 
and and the non commutative conjonction and disjonction (resp. © and V). 

Definitions 12 (links and proof structures). A link is an object for which 



the premises (input edgt 


ssj and the 


conclusions 


(output edg 


es) are two disjoint 


sets of vertices: 












A B 


A B 


A B 


A B 


A H-L 


w 




w 

© 


\ J 

f 




A®B 


A^ B 


AqB 


AXB 



A proof structure G over the vertices V{G) is a set of links such that: 
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— every vertex in V{G) is a conclusion of (only) one link, 

— every vertex in V{G) either is a conclusion of G (i.e. is not a premise of 
any link of G) or is a premise of (only) one link, 

— the set 7 of the conclusions of G (writen G\~ ^) is not empty. 

3.1 Maieli Correctness Criterion 

Definitions 13 (Switchings). Let G a proof structure. A switching s for G 
is given by mutilating one premise-edge for each V-link and Ai-link. Any V-link 
(resp. At-link) admits a left/right mutilation wich is called the left/right switch 
o/V (resp. At). Any switching s for a proof structure G induces a graph on V{G) 
which is called the switched proof structure s{G). 

Fact 5. If a switched proof structure S induced by a proof structure G h 7 
is acyclic and connected then (viewing (g)-nodes as o-nodes and ©-nodes as •- 
nodes, and effacing binary nodes implie that) S' is a seaweed which represents a 
series-parallel order variety on 7 . 

Definition 14 (Suitable conclusion). Let G \~ j be a proof structure and s 
be a switching for G. Let a vertex of s(G) labelled AVB. A conclusion suited 
to AVB is a vertex G G 7 such that there is no paths from AVB to C in s(G) 
which is oriented in G. 

Definition 15 (M-correctness). A proof structure G is M-correct iff for any 
switching s: 

1. the switched proof structure s(G) is acyclic and connected, 

2. for any V-link labelled AVB, for any suitable conclusion C , the intersection 
of the paths AB, AG and BC in the seaweed s(G) is a Q-node in G with the 
following anti- clockwise order: 

A 




B 

Theorem 1 ([MaiOO]). A proof structure G is M-correct iff G is sequentialis- 
able. 

In the commutative fragment (multiplicative linear logic) the Maieli cor- 
rectness criterion is exactly the Danos-Regnier’s (the first step in the previous 
definition) . The latter is well known to be in exponential time: if n is the number 
of ^-links in a proof structure G then the Danos-Regnier correctness criterion 
checks 2 " graphs and cannot be inferred by the inspection of a fixed subset of 
the switches of G. So the Maieli correctness criterion is at least in exponential 
time. 




Quadratic Correctness Criterion for Non-commutative Logic 



77 



3.2 The Size of a Proof Structure 

If we call size of a proof structure G the number of registers size{G) required 
for the memorisation of G on some ramdom access machine (RAM) then in 
any non redundant coding, size(G) is linear in the number of vertices of G i.e. 
size{G) = 6>(|M(G)|). Moreover, since the number of links in G is linear in 
the number of vertices of G, size{G) = G(|G|) also. In the following, one shall 
analyse the worst case asymptotic complexity of correctness in terms of size{G). 

Remark 2. It is usual to describe a proof net with only one conclusion: built a 
tree of ^-links of the conclusions. This description does not improved the worst 
case asymptotic complexity. 



4 Sequent Calculus 



Definition 16. A sequent h a consists of a series-parallel order variety a of 
formula occurences. 



Identity group 



Structural group 



-j- (identity) 



\~ uj * A \- oj' * A^ 
\- to * U)' 



(cut) 



Logic group 



u! * A Lo' * B hw* (A < B) 
h (w' < uj) * A Q B hw* A\/ B 



\- u) * A \- u)' * B \- u) *■ (A II R) 
h (oj II ui') * A® B \- u! * A^B 



We can have a sequent calculus without an explicit rule for entropy: only the 
^-rule need this rule. So we can substitute the entropy rule and the ^-rule by 
the following one given in [AROO]: 



h Q:[A, B] 
h a[A^B/A, B] 



( ^*-rule) 



where a[A^B /A, B] is the identification of definition 10. Indeed in the multi- 
plicative fragment the two versions are equivalent: by lemma 1, we have 

- a[A^B/A,B]j^2^g * (A II B) C a, so entropy and ^-rule can mimic the 
^★-rule, 

— w*(A II B) C a implies w*(A || B) C o;[A^R/A, R]^ 2 ^^*(A || B),so ^*-rule 
is an optimized version of ^-rule where entropy has been minimized. 

See [RueOO] for a detailled explaination and consequences of removing the en- 
tropy rule in the full NL. 
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5 Contractibility Criterion 



Definition 17 (Contracting proof structure). A contracting proof struc- 
ture G over the vertices V (G) is a set of links and seaweeds such that: 

— every vertex in V{G) either is a conclusion of (only) one link or is an ex- 
tremity of (only) one seaweed, 

— every vertex in V{G) either is a conclusion of G (i.e. is not a premise of 
any link of G) or is a premise of (only) one link or is an extremity of (only) 
one seaweed, 

— the set 7 of the conclusions of G (writen G\~ ^) is not empty. 

We consider the following system of rewriting rules called contraction rules 
which is applied from contracting proof sub-structures to seaweeds: 

— no rules for axiom-link, ®-link, 0-link: an axiom-link is already a seaweed, 
a 0-link is viewed as a o-node and a 0-link as *-node, 

— associativity rules, sequential rules and par rule: 



I 




Y 

A 



X 




AVB 



4 A-L 

y 

AVA-^ 










Ml Mm 




A^B 



The par contraction rule corresponds to the transformation of a seaweed S 
and a ^-link in S{AAtB / A, B) . We have | n — m |< 1 due to the alternate path 
between A and B. 

Note that proof structures are particular contracting proof structures. 
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Definition 18 (Contractibility criterion). A contracting proof structure G 
is c-correct if reduces G to a seaweed. 



Theorem 2 (Confiuence). The system of contraction rules is confluent. 

Proof. There is no problems to do interactions with local rules like V-rule and 
associativity rules. The cases ^-rule vs ^-rule and ^-rule vs V-rule are treated 
in [MogOl]. The ^-rule vs associativity rules are exactly the same as vs V-rule. 

□ 



Theorem 3 (Sequentialisation). A proof structure G is c-correct iff G is 
sequentialisable. 

The proof can be deduced from the sequentialisation theorem from next 
section by using proposition 3. 

Corollary 1 (Correctness). A proof structure G is c-correct iffG is M-correct. 

This correctness criterion acts on an initial contracting proof structure G 
with size{G) links and nodes of seaweeds (recall that axiom-links are seaweeds). 
Let n = &{size{G)) be the sum of weighted number of links and the number 
of nodes. The analysis of each step of reduction shows that the number of links 
always decreases and that: 

— the associativity decreases the number of nodes of the seaweed, 

— the V-rule decreases the number of links without changing the number of 
nodes. In the degenerated case, to assign a weight of 2 to V-links allows to 
decrease n. 

— the ^-rule acts on an alternate path. Let r and s be respectively the number 
of *-nodes and o-nodes on this path. The contraction rule reduces the r -I- s 
nodes to 2r -|- 1 nodes with | r — s \< 1 due to the alternate. Then in the 
worst case, the difference is of 2. So to assign a weight of 3 to ^-links allows 
to decrease n. 

So in the worst case (when G is c-correct), the number of steps of reduction in 
this criterion is linear in size{G). Each step of reduction is a choice of a rule and 
the application of this rule. This decreases n down to 0. 

Expect in the case of ^-rule, the complexity of choosing a rule is linear in 
size{G). In order to enable the choice of ^-rule to have the same complexity 
mark each seaweed with an integer. 

Applying a reduction rule is linear in size{G) in the worst case: the asso- 
ciativity rules and the V-rules are in constant time, the ^-rule is linear in the 
length of the path. Indeed this latter rule consists of an S{z/x,y) operation of 
some A and B into A^B: this requires a linear time for fisAB as well as for 
entAB and for ussab- 

Therefore this correctness criterion is in quadratic time. 
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6 Parsing 



In the previous section, we are dealing with contracting proof structure i.e. with 
seaweeds. Here is the same quadratic time parsing algorithm that checks the cor- 
rectness of a proof structure but the objects are directly order varieties. From 
the sequent calculus one can find a non determinist algorithm for the sequential- 
isation of proof structures. We present here a determinist reformulation. In order 
to show this, we introduce the parsing box which contains an order variety: let 
a be an order variety on a set X, 




is called the parsing box a. This a kind of link without premises which has one 
conclusion for each element of X. We use the following set of parsing rules — >-p: 




CO * A^B 

where uj * A^B = a[A'^B/A, B] 




AVB 




By the properties of -^c and proposition 3, we obtain the confluence of — >-p. 
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Lemma 3. If II is a proof in cut-free MNL of\~a then we can naturally asso- 
ciate with n a proof net II~ which reduces to the parsing box (3 a. 

Proof. The proof net 77“ is defined by induction on 77 as follow: 

Case 1: 77 is an axiom \- A* one must define 77“ as the axiom link: it is 
reduced to the parsing box A * A-^ . 

Case 2: 77 is obtained by a C)-rule from Ai and A 2 which are respectively the 
proofs of h w * A et h 77 * w'; By induction hypothesis, A]" and A^ are 
respectively reduced to the parsing boxes (3 * A A co * A and B * f3' A B *uj'. 
Then we define 77“ as the tensor on A and B of Ai and A 2 : it is reduced to 
the parsing box {P \\ (3') * A (§i B A (ut || ut') * A® B. 

Case 3: 77 is obtained by a ^-rule from A which is a proof of h a[A,B]] By 
induction hypothesis, A is reduced to the parsing box P[A,B] A a[A,B\. 
Then we define 77“ as the par on A and 77 of A: it is reduced to the parsing 
box P[A'^B/A^B\ A a[^^77/Al, 77] by lemma 2. 

Case 4: 77 is obtain by an entropy rule from A which is a proof of h /? with 
P A a. Then we define 77“ as A. 

Case 5: 77 is obtained by a ©-rule or a V-rule; one can build 77“ like respec- 
tively in cases 2 and 3 if we recall that P C a[uj < oj'] implies P[uj < uj']. □ 

Lemma 4. If a proof net A is reduced to the parsing box a then we can find a 
proof n in sequent calculus of\~a such that 77“ = A. 

Proof. By induction on the length of the reduction: 

i) one step of reduction: A is an axiom link which is reduced in the parsing box 

A * A^ . The claim is proved by taking as 77 the axiom \- A* A-^ . 

ii) several steps of reduction: the system of parsing rules is confiuent, so the last 
rule applied to A is one of the followings: 

— Tensor parsing rule: we have a proof net A reduced in a parsing box 
P = {to \\ u') * A ® 77. So by the last step, there are the proof nets Ai 
and A 2 reduced respectively in the parsing boxes ui * A and 77 * w'. By 
induction hypothesis, there is the proofs 77i and II 2 in sequent calculus 
resp. oi\- UJ * A and h 77 * w' such that Ilf = Ai and Ilf = A 2 . 

So by taking as 77 the tensor oi\~ uj * A and h 77 * w' we obtain a proof 
of h /3 such that 77“ = A. 

~ Par parsing rule: we have a proof net A reduced in a parsing box P = 
a[A'^B/A,B]. So by the last step, there is a proof net Ai reduced in 
a parsing box o;[7l, 77]. By induction hypothesis, there is a proof 77i in 
sequent calculus of h a[A,B] such that 77j“ = Ai. One can take as 77 
the ^*-rule of a[A, 77] then 77“ = A. 

— The others parsing rules can be treated as in previous cases. □ 

Theorem 4 (Sequentialisation). Let us say that the proof structure G is p- 
correct when -^p reduces G to a parsing box. Then, G is p-correct iff G is se- 
quentialisable. 

Proof. Deduce from lemma 3 and 4. □ 

Corollary 2. A proof structure G is p-correct iff G is M-correct. 
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7 Conclusion 

These criteria are like the others one from the cut management point of view. 
Given a sequent calculus proof of NL with cuts P, there is an associate proof 
net with cuts. The standard cut elimination gives a cut-free proof net which 
can be sequentialised in a cut-free sequent calculus proof. Then this proof can 
be obtained from P by cut elimination. The question is to know what happens 
during the intermediate steps of cut elimination: is there a correctness criterion? 
i.e. is there a sequentialisation theorem extended to proof nets with cuts? In the 
commutative part of NL, the sequentialisation of proof nets with cuts can be 
solved by seeing a cut like a tensor for correctness. Detailed explanations can 
be found in [Laf95]. But these cannot be done here^. So how to deal with a 
contractibility correctness criterion for proof nets with cuts? 

The obtained correctness criterion is quadratic but there is a linear alterna- 
tive in the case of linear logic [Gue99] . This result comes from a reformulation 
of Danos contractibility criterion which is essentially based on unification. This 
gives a quasi-linear time algorithm. Guerrini’s approach does not trivially gener- 
alize to this case. One can derive a trivial unification algorithm for NL from the 
parsing one but without improving the complexity. In fact, the needed informa- 
tion to make the unification is exactly that which is contained in the structure 
of order varieties. This new Danos contractibility style criterion for NL is a first 
step to obtain a linear correctness criterion. 
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Abstract. We show in this paper a special extended logic, partition 
logic based on so called partition quantifiers, is able to capture some 
important complexity classes NP, P and NL by its natural fragments. 
The Fagin’s Theorem and Immerman-Vardi’s Theorem are rephrased 
and strengthened into a uniform partition logic setting. Also the dual 
operators for the partition quantifiers are introduced to expose some of 
their important model-theoretic properties. In particular they enable us 
to show a 0-1 law for the partition logic, even when finite variable infini- 
tary logic is adjunct to it. As a consequence, partition logic cannot count 
without built-in ordering on structures. Considering its better theoreti- 
cal properties and tools than those of second order logic, partition logic 
may provide us with an alternative, yet uniform insight for descriptive 
complexity. 



1 Introduction 

From finite model theory, or more precisely, the theory of descriptive complexity, 
we know that all important complexity classes have their own natural logic 
counterparts. In other words, for each of these complexity classes, there exists a 
logical language capable for defining exactly those problems effectively checkable 
in this complexity class. The first of such correspondence is due to Fagin[4], which 
equates nondeterministic polynomial time with existential second order logic Sj. 
Some of the major results are summarized by the following table: 



Complexity Class 


Logic 


NP 


Existential Second Order Logic 


P 


Least Fixed Point Logic 


NL 


Transitive Closure Logic 



Aside from the assurance of the machine-independent description of com- 
plexity classes, these results pave the way for logical approach to complexity 
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issues, culminating in Immerman’s famous proof of NL = co-NL[10]. Never- 
theless compared with the Turing Machine, the unified machine model behind 
complexity classes, those logics seem more or less incoherent. For instance, we 
have different ways to reach them from first order logic: by adding higher order 
quantifiers (e.g. second order logic) or recursive operators (e.g. least fixed-point 
and transitive closure logic), and the latter enjoys an inductive flavor explicitly. 
Some effort has already been made to unify the logic theories, one is by Gradel[6], 
he identified some fragments of second order logic, say second order Horn and 
Krom logics, to capture P and NL respectively. Other approach is to augment 
the first order logic by a series of Lindstrdm quantifiers which are based on some 
particular complete problems)!], such as using Hamiltonian Path Operators to 
capture NP[18j. 

Partition Logic arises from the ubiquitous mathematical operation as: parti- 
tion a set into several disjoint union, over each partition subset certain property 
is satisfied homogeneously. One typical example is the congruent relation. H.-D. 
Ebbinghaus first in 1990’s introduced the Partition Quantifiers to mimic such 
phenomena logically. This idea may go further back to Maltiz, yet with some 
extra infinite cardinality constraint [13], which is well beyond finite model the- 
ory. As it can define the connectivity of graph and some other non-first-order 
properties, partition logic is surely second order in nature. However it possesses 
some nice model-theoretic properties which are not shared by second order logic, 
such as the downward Lowenheim-Skolen-Tarski theorem and the Tarski Chain 
theorem[16]. In the meantime partition quantifiers can be looked as a special kind 
of monotone Lindstrom ones, so their Ehrenfeucht-Fraisse game is more elegant 
and tractable than that of second order logic [15]. Therefore in a sense, partition 
logic is locates in the lower level (near first order logic) of the fragment-spectrum 
of second order logic. 

The attempt to apply partition logic in computer science started at a se- 
ries of papers [14,15,17], in which it was proved that on word and tree struc- 
tures, monadic fragment of partition logic is equivalent to monadic second order 
logic by the second author. He also found a natural fragment of partition logic 
equivalent to transitive closure logic, while Imhof showed another sublogic of 
it corresponds to bounded fixed point logic [8]. All these facts demonstrate that 
partition logic incorporates the recursive mechanism in a succinct form. In this 
paper, we show that partition logic may serve as a uniform platform to accom- 
modate the most important part of complexity spectrum, i.e. NP, P and NL. 
Our main theorem provides a unified characterization of NP and P in partition 
logic on finite ordered structures, in which some key parameters of the machine 
is explicitly related to those of the partition quantifier, thereby giving the Turing 
machine a clearer logical reflection. Meanwhile we will also prove a 0-1 law for 
partition logic, thus without ordering, it even cannot define some very simple 
counting problem like Parity over arbitrary finite structures. 

The paper is organized as follows: we give the definition of partition logic in 
Section 2, some examples are also provided. Section 3 reviews its relation with 
transitive closure logic and least fixed point logic by means of the dual operators 
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of partition quantifiers, while the capturing of NP and P by partition logic is 
demonstrated in section 4. Section 5 is devoted to its 0-1 law. 

We assume the reader has some basic knowledge of finite model theory, espe- 
cially those results compiled in the preceding table, comprehensive details and 
references can be found in [3,11]. 



2 Preliminary 



In this paper, only finite relational vocabularies are considered. Unless otherwise 
declared, structures are not necessarily finite but with two elements at least. We 
use FO, SO to denote first order and second order logics respectively. FV(i/') is 
the set of free variables in of a certain logic, j^j is the cardinality of the set 
A, also we overload jaj for the length of a vector or a sequence of elements a. 

The language of partition logic is the enlargement of FO by a new formation 
rule: for any k,m,n > 0, if ^p{x, y) is a well-formed formula with jx] = mk and 

k 

\y\ = nk, then P'^.!^y^(x,y) is also well- formed, and in which x,y are bound. 

k 

Definition 1. Given a structure A and e € , A \= P , y, z) [e] where 

FV((^) C {x,y,z}, j'ff there is a partition of A^ : A^ = U(JV , U ^ ^ V , 

such that A ^ '•p\do . . .dm-i,bo ■ ■ -Sn-i, e] for arbitrary dg, ■ ■ ■ ,dm-i G U and 
bg, , bn-i G V . 

Obviously partition logic is a fragment of SO and also a monotone Lindstrom 
logic. For convenience, we will write (f in lieu of P ffA and these quantifiers 
are particularly named monadic partition quantifiers [17]. For any k,m,n > 0, 

let FO(P"‘’") be the extension of FO with p'"’" only. We abbreviate 
FO(pi’i) = U FO(pi’i), 

k<cu 

FO(P“’^)= IJ FO(P"*’^), 

k,m<.u: 

FO(P“’“) = U FO(P™’”). 

k,m,n<uj 



It is not very hard to show whenever k > k',m> m' and n > n', FO(P™’”) > 
FO(P’" ),sofor example, (P^'^RiGy) R'x'y') G FO(P‘*’®) < FO(P“’“). 



Meanwhile let FO(pos p‘^’“) denote the sublogic of FO(P“’“) consisting of the 
formulae in which all partition quantifiers occur positively, i.e. within the scope 
of an even number of negation signs. 



Example 1. One of the simplest properties that partition logic can deal with is 
the connectivity of (directed) graphs which is undefinable in FO, 



Conn := -iP\fy-Eixy, where if is a binary relation symbol. 
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Namely, the graph can not be divided into two parts between which there is 
no cross edge. So ^ = {A,E^) is strongly connected iff {A,E^) |= Conn . 
Meanwhile the reachability of two vertices can be characterized by: 

Path fw, v) := -^P\:}y[-ALxy f\ y ^ u f\ x ^ v], 

which states that we can not divide the graph into two parts without cross edge 

to separate u and v. Then e is reachable to / in {A, E^) iff {A, E^) |= Path [e, /] . 

Surely we have 

1= Conn ^ yf w — >■ Path frt, ?;)]. 

Example 2. Though the definition of partition quantifiers concerns only bipar- 
titions, FO(P“’“) can also deal with properties built upon multi-partitions. 

4 -Color := duoWiUzUa ^ "^2], 

'■= (a^oo = 0 -)> (xoi yf M 2 A Xqi yf M3)) 

A(j/oo = 0 -)> (yoi y^ Mo A ym yf mi)) 

A(xoo = 1 -)> (xoi yf Ml A ym yf U 3 )) 

A(j /00 = 1 {ym y^ Mo A ym 7^ M 2 )), 
i ’2 ■= (a:oo = 0 A xio = 1 A xoi = xn 

Ax20 = 0 a 3:30 = 1 a CC21 = X31) -)> -'EX01X21 
A(xoo = 0 A 1/00 = 1 A xoi = yoi 
Aa^io = 0 A j/io = 1 A Xn = j/n) — >■ -'ExgiXn 
A(j/oo = 0 A xoo = 1 A 2/01 = a;oi 
Ayio = 0 A xio = 1 A 2/11 = xn) -A -'Eyoiyn 
Hvoo = 0 A 2/10 = 1 A 2/01 = 2/11 
A2/20 = 0 A 2/30 = 1 A 2/21 = 2/31) ~^Eyoiy2i, 

where each Xj = Xi^Xn and similar for y^. Note 0, 1 are the boolean constants 
which can be easily eliminated by first order existential quantification. A graph 
A \= 4-color iff A can be 4 colored in a way such that each color is used at 
least once, which in case |A| > 4, is equivalent to 4-colorability problem. Assume 
17 1 M is the partition that makes 4-color satisfied, let Ui = {e | (i, e) G [/} and 
hi = {e I (z,e) G P} for z = 0, 1, then it induces 4 disjoint partition subsets of 
A, Uo n Vo, Uq n V^i, Ui n Vo and Ui n Vi. While f/'i ensures that each of them 
has a non-empty witness Ui, and any two points in the same subset being not 
adjacent is expressed by tp 2 - Clearly 3-colorability can be defined likewise. 

3 Dual Operators of Partition Quantifiers 

The classical extended logic capturing the graph reachability is the transitive 
closure logic, i.e. FO(TC)[9]. Example 1 invokes the following relation between 
FO(pAi) and FO(TC). 
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Theorem 1. [14] The “duality” between andTG, 

h [TC|_yf/'(^,y)](M,w) ^ jt=vAyy^uA^'tp{x,y)], 

h PlfyHx,y) ^ 3mu[^(tc|_^-.V'(x, y))(u,w)]. 

Hence FO(P^’^) = FO(TC), and as a result, FO(P^’^) captures NL on finite 
ordered structures. The above “duality” also inspires the next modification of 
partition quantifiers to so called pseudo transitive closure operators TP . 

k 

Definition 2. Let \p{u,v,z) = [TP y, F)](m, v), where |m| = |w| = k, 

|a;| = mk, |y| = nk and FV((p) C {x,y,z}. Given e, f € and g G , if for 
any partition U\V of A^ with e G U and f G V, there exist do, ■ ■ ■ , Om-i C G 
and bo, . . . ,b„-i G V such that A ^ (p[do ■ ■ -dm-iAo ■ ■ ■bn-i,g], then we say 
-4 [= f;[e,f,g]. 

k fc 

The correspondence between p™>" and TP'"’" is superficial, and we can see 

k 

TpM 

is exactly fc-dimensional TC by Theorem 1: 

1= f^{x,y)]{u,v) gg^pG£[x^ A Ay A^f){x,y)], 

h PxS ^ 3uTh(TP^i"-.V’(T,y))(M,T)]. 

The following lemma shows some essential similarities between TP and TC, 
which was proved in [16], yet without introducing TP . 

Lemma 1. 

(1) For any A and e, f ,g G A^ , if both A H"PP^^”V’[e, /] and A |=TP^^"^/;[/, 5 ], 

k 

then we have A |=TP™j"^/>[e, g] . 

(2) Given AQ B and e, f G A’^ with A ^ TP™|^"^/>[e, /], for any u G and 

v G A ^ fj[u,v] implies B ]= ‘tp[u,v], then B ]=TP^i"i/'[e, /] . 

(3) Let T = {i?}, where R is a k{m + n)-ary relation symbol, for a r-structure 

k 

A, A \= [TP ^]TRxy] [e, /] where e, / G A^ , and D is the diagram of A, there 

fc _ _ 

exists a finite subset D^J of D satisfying D^j ^ [TP™^"Rxy](e, /), where e, / 
are new constant symbol sequences interpreted by e and f respectively. 

Intuitively, (1) guarantees the transitivity of TP , (2) means TP is closed under 
extensions, and in (3), D-j bears witness to the satisfaction of TP on e, /, 
which may be imagined as the finite “path” in A that connects e and /. The last 
property plays a crucial role in the proof of certain model-theoretic theorems of 

^ Here x Av stands for *00 A 'OoT xoi ui V • • • V xok-i A Vk-i- 
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FO(P also it can be used to embed partition logic into Cunui- But as 

Example 2 shows that 3-colorability is axiomatizable in it, FO(P“’“) is not inside 
finite variable infinitary logic by a result of Dawar[7]. 

The naive model-checking algorithm derived directly from the definition of 

k 

P is unavoidably of exponential time, but Theorem 1 has already implied 
'=11 

some NL algorithm for P To step forward more, we can design a P algorithm 

for any p™’^ by the following embedding result of p™’^ in the least fixed point 
logic, FO(LFP). 

Proposition 1. Given a structure A and e, / G 

( 1 ) ^ 1 = [TP^;g^p{x,y)][e,f] iffA\=LFP^^y^x{x = y\/3wXtmJoA---AXtnjJrn-i/\ 
‘P{w,y))[e,7], where w = Wo,.. ■ , Wm-i- 

(2) A h [LFPy,y(v3o(y) V 3x{Yxq A ... A Yxm-i A ipi{xo . . .Xm-i,y))]m, iff 

k m I 

“4 h h ~'^i(x,y) A X yf u A -'(/?o(l7)][e], where x = Xq, . . ■,Xm-i- 

Proof. Routine. □ 

The LFP-formulae in above proposition indeed fall into Bounded Fixed-Point 
Logic, FO(BFP)[3], which allows the LFP operator only if there is bounded 
m > 1 such that the tuple in a new stage is already witnessed by a set of at 
most m many tuples of the preceding stage, i.e. all fixed-point formulae are of 
the form: LFP^ (yso (y) V 3xq . . . 3x„_ i (Exq A . . . A F x™_ i A (xq . . . x^- 1 , y) ) . 

k 1 

Thus by Proposition 1 and the equivalence between p™'^ and TP™’ , 

Theorem 2. ([8]) FO(P‘^’^) = FO(BFP). 

We know that FO(TC) < FO(BFP) < FO(LFP)[3], and 3-colorability can 
separate FO(P“’‘^) and henceforth 

Corollary 1. 

FO(pi’i) < FO(P“’i) < FO(P“’“), 

FO(P“’^) < FO(LFP). 

4 Characterizing NP Machine 

In this section, we will characterize NP Turing machines by FO(P“’“) on finite 
ordered structures. The main technique and convention used here follow [3]. First 
a simple warming-up example is given, then we sketch the proof idea of the main 
theorem enlightened by this example, while full-length proof is omitted due to 
the lack of space. 

Example 3. Let r be the vocabulary for binary tree, i.e. r = {e, 5'i,S'2}, where 
e is the constant symbol for the root node, and 81,82 are respectively the left 
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and right successor relation symbols. The sentence 6> defined left below asserts 
that there exists a path from the root such that if a node in the path satisfies 
the formula ip{x) then its right successor must lie in this path too, which may 
be depicted by the figure right below, where the solid nodes are those satisfying 
(f in the path. 

e ■- P^’^ ,^(e = y) 

x,x'-,y,y' '' 

A -<{SiyxV S2yx) 

A -<{Sixy A S2xy') 

A -'3z{Sizx A S2ZX') 

A ~'{tp{x) A S2xy) 



Now for any finite tree structure 
partition U\V of A such that the inner formula is satisfied homogeneously on 
this U\V. We claim that U is the required path. First by (1), € U, since for 

any y G V, y. To verify that U is closed under predecessor, note if there 

is some node x in U such that its predecessor node is not in U, i.e. some y G V 
with S^yx or S^yx, then these x and y will refute the second conjunct. The 
subformula (3) implies that for any x G U, at least one of its successors will also 
lie in U, assume contrarily one x’s left successor y and right successor y' are 
both in V , then (3) can not be satisfied homogeneously. On the other hand, for 
any node z G U , at most one of its successors is inside U, which is ensured by 
(4). Henceforth, (l)-(4) guarantee that the first partition subset U is indeed a 
path of A. Finally by (5), no element y G V is the right successor of an a; G C/ 
satisfying ip. The reverse direction is trivial. 

Next we fix a vocabulary t = toUti, where tq = {<, S', min, max} and 
Ti = {i?i, . . . , while all r-structures under consideration have the inter- 
pretation of <, S, min and max as the ordering, successor relation, minimum 
and maximum elements, i.e. ordered structures. For an NP Turing machine M 
which is time-bounded by rA to accept r-structures using fc -|- 1 input tapes for 
coding the structure, and some other m work tapes for intermediate computa- 
tion, let br be the maximum number of choices that M can face each time, and 
note 6r = 1 if and only if M is deterministic. It is a standard technique to code 
any computation run of M by a (2d -|- 2)-ary relation on the input structure: the 
first d-ary part is the “time stamp”, the rest will code the actual configuration 
of M at a particular time, that is to say, if |t| is the n-adic representation of time 
t, then the (d -I- 2)-ary relation R\t\ fully describes M’s configuration at time t, 
including the state, the inscriptions of each cell on each input or work tape, and 
also the position of each reading head on those tapes. 

The Fagin’s theorem relies on the observation that it is possible to define 
a first order formula p(X, Y) saying that T is a valid configuration after M 
makes a move from the original configuration X, and in the meantime we can 
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introduce two simple formulae 'ipinit(X) and ipend{X) expressing X is the initial 
configuration and a final configuration with an accepting state respectively. Thus 
a S} sentence 



O = 3R[lpinit{R\tinit\) A V'end(^liendl) 

AV|to| = ^0 + 1" ‘f{R\td\: 

where |tinit| and |tend| are FO definable constant vectors representing the initial 
and the final times of the computation run, can be constructed. Clearly for any 
finite structure ^ |= 6> iff i? can be interpreted as a accepting run of M on A, 
i.e. M recognizes A. 

2d + 2 

Shifted to partition logic, we aim to devise a sentence P y, such that once 
it is satisfied in a structure A, the first partition subset will be interpreted as an 
accepting run. Surely the above (p, ■0init and ipend can not be directly applied, 
because we are deprived of the explicit use of second order variables. Though 
the overall idea is similar to the previous tree example, much more deliberation 
is needed. Our description of one step computation is divided into two phases: 
firstly M chooses an instruction according to the current configuration, then 
M changes its configuration following the instruction. For the first phase, we 
add a new element into each R\t\ to indicate which instruction will be actually 
carried out concerning all nondeterministic choices that M can make over R\t\. 
Note the set of all possible instructions is fully determined by the state of M 
at time t together with the symbols read by those heads on input and work 
tapes at that moment, which are reflected by a finite number of elements in R\t\. 
Therefore we are in a similar situation like Example 3 which must regulate any 
nonterminal point of the path has one and only one successor also lying in the 
path, while the choice between left and right successor can be nondeterministic. 
Once the instruction is chosen for time t, the configuration of time t + 1 is 
totally determined. It is crucial that each element in R\t + 1| only depends on 
a bounded number of elements in R\t\: the new state and the new inscriptions 
on those positions originally the heads were pointing at are determined by the 
chosen instruction; the new head positions are determined by the instruction and 
the heads’ original positions; the inscriptions of rest positions remain unchanged, 
thus determined by their original inscriptions. So R\t + 1| can be characterized 
in the same fashion as the tree example requires those nodes satisfying (p must 
have right successor in the path. Thus a careful and tedious elaboration will 
yield. 

Theorem 3. if a class of finite ordered t - structures K is accepted by M , then 
K is axiomatizahle in FO(P“’“) by a sentence O = P 3+fc+2m,br^^ where y is 
a quantifier-free formula. 

Conversely, we can effectively construct a NP machine for any given (p G 
FO(pos p“’“) to check whether A\= ip ior each A, so 

Theorem 4. if K is a FO(pos p‘^'“) definable t - structure class, then K G NP. 
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Combining Theorems 2, 3 and 4, we obtain 
Corollary 2. On finite ordered structures, 

FO(pos P“’“) =NP, 

FO(P‘^’i) = P. 

5 0-1 Law for Partition Logic 

In this section, we are only interested in the labeled 0-1 law under the uniform 
probability measure, i.e. each structure of cardinality n has {0, . . . , n — 1} as its 
underlying universe, and with same probability. To prove the 0-1 law for par- 
tition logic, we would rather focus on TP instead of the original quantifier P, 
making substantial use of its preservation over extensions, i.e. Lemma 1.2. There 
have been several results concerning logics that deal with properties closed un- 
der extensions, or equivalently closed under substructures [5,2, 12]. In particular 
[2] proved that the 0-1 law is retained in FO augmented with those generalized 
quantifiers defined over classes of structures that are closed under extensions. 
Later we will see TP can be regarded as such generalized quantifier. First we re- 
vise the definition of generalized quantifiers. Fix a vocabulary a = {i?i, . . . , Rs}, 
where each Ri is r^-ary relation symbol. Now upon a class of a-structures K 
which is closed under isomorphisms, if for 1 < i < s, ipi{xi,y) is a formula with 
FV(^/>j) C {xi,y}, then QkXi, ■ ■ ■ ,Xs[tpi, ■ ■ ■ ,tps] is also a formula which bounds 
all Xi- For any r-structure A and d G 

A\=QKXi,...,Xs[fi,...,'fs][a\, iff 

where each 'tpA{ , a) stands for {b G A"^' \ A \= tpilbA]}. For a set of generalized 

quantifiers Q, FO(Q) and £*aouj{Q) denote the extension of FO and t- variable 
infinitary logic with Q respectively, while = U ^oouiiQ)- 

t<(jJ 

Next we detail some notions concerning the class of structures that are used 
to define generalized quantifiers of which we will prove the 0-1 law. 

Definition 3. Let K he a class of structures as defined above, K is said to he 
closed under extensions iff whenever A & K and A Q A' , we have A' G K. 
While a finitely witnessed K means for any infinite A, if A € K, then there 
exists a finite A! such that A! G A and A! G K, and we can say A! finitely 
witnesses A € K. K is finitely based if it is both closed under extensions and 
finitely witnessed. A Qk is called closed under extensions, finitely witnessed or 
finitely based if K is respectively so. 

Example f. 

(1) To define first order quantifier 3, assume K = {{A, U) \ U C A and U yf 0}, 
then \= 3x(fi{x) Gy QkxYp{x)]. Counting quantifier 3-* can be regarded as Qk 
where K = {{A,U) \ \U\ > 1}. 

k 

(2) For each TP™’”, let cr = {R, P} where R and P are respectively k{m + n)-ary 
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and 2fc-ary relation symbols, set it" = | ^ ^ 3uv{[TP^.^Rxy]{uv) A Puv}}. 

We have 

h [TP™^"t/’(S,|/)](w;) o QK^'y'['il},x' = uAy' = v], 

h QK^'y'[^i{x,y),i) 2 {x' ,y')] o 3m{[JP'^.^%l}i{x,y)]{m) hi) 2 {u,v)}. 

In the above examples, all Qk^ are finitely based. Specifically, Lemma 1.2 guar- 
antees TP is closed under extensions, while in Lemma 1.3 ^ f D-j finitely 

fc _ 

witnesses A ^ [TP ™|^”Rx| 7 ] [e, /]. As a consequence, one result in [ 2 ] implies 

that FO(P“’“) has the 0-1 law. Furthermore in the following we will strengthen 
it to 

Theorem 5. has the labeled 0-1 law. 

The proof method we adopt here is rather traditional, i.e. based on a transfer 
property (Theorem 6 ) , compared with [2] of which we see no easy extension to 

r<jj 

^OOUJ ' 

Let Ci be the conjunction of finitely many r-extension axioms with r < i, and 
Trand is the Set of all extension axioms, i.e. T^and = Ai>o Furthermore Arand 
is the unique countable random structure up to isomorphism, i.e. Arand |= T^and- 
We will rely on the following lemma heavily later. 

Lemma 2 . Given two structures A,B, particularly A\= Ci and h : d i — > b is a 
partial isomorphism between A and B with finite domain |{a}| < i, then for any 
finite subset S C B with jS'j < i — |{a}|, there exists a finite subset S' C A, such 
that h can be extended to some larger partial isomorphism h' : S',d i — > S,b. 

Proof. Easy. □ 

For any structure A and d G A*, define a first order formula 

= f\H{ x) I Ip atomic or negated atomic, and A\= tpla]}, 

and it follows that \= ^ iff a i — >■ 6 is a partial isomorphism between 

A and B. Later on we will write instead of \= ^ ‘fist’ 

no ambiguity arises. Obviously an equivalence relation over A* can be induced: 
d =A b iff - = p^^ so each p^ - defines an equivalence class. Next lemma 
will show in Arand, this equivalence relation holds for arbitrary higher level 
formulae. 

Lemma 3. For any ip G £[r] and d,b G with p\^^^a ~ £^4 

Arand H A[q] *jff Arand |= AM- The abovc £ could be any logical system whose 
satisfaction relation is closed under isomorphisms and permits substitution. 
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Proof. By 11 h : a i — > 6 is a partial automorphism over -4rand- 

Then the fact of -4rand satisfying Trand and being countable ensures that h can be 
enlarged to an automorphism h' on „4rand via a back and forth process. Thereby 

-^rand 

iff /l'(Aand) h if[h'{a)] 

iff -drand '^[^(^)] 

iff AandhV’[^]- 



□ 

So it makes sense to introduce the following canonization function 6 on 
-drand- Let 6* be a choice function over the equivalence classes of i.e. 

) G > define 5 : ^ with 6(a) = 0([a]=o ). 

•^rand -^rand -^rand 

Surely so by Lemma 3, Aand h iff Aand h V’[<5(a)] 

for arbitrary if. Note for any fixed i, |{(5(a) | a G ^randll = l{[®]=o I ® G 

-^rand 

^randll < ^ due to the finiteness of t. 

Clearly Lemma 3 exhibits the extreme symmetry of -drand> furthermore it 
implies the following technical result which gives a bound on the finite witness 
of any Qk over ^rand- 

Lemma 4. Given a finitely witnessed Qk and t G N, we can find a fixed n 
such that: for any ip = QkXi, ■ ■ ■ ,Xs['f>i, ■ ■ ■ ifis] G L[t] with |FV((^)| < t and 
a G */ ^rand H p\d\, then there exists a finite set D C Glrand with 

\D\ <n such that 

(D, (_ , o) r L>, . . . , (_ , a) r G K. 

Note C is the same as in Lemma 2. 

Proof. First observe that for any f: G C[t], 

Aand h V" GG \J P\^nd,&(a) 

AandM[<5(S)].dGAl™'/)l 

by Lemma 3, and the finiteness of 5(a) ensures the above conjunction is finite, 
i.e. in FO. So we can define an equivalent translation | ] '. C[t] — >■ FO[r] over 



W - V ‘^Xanddfa)- 

Arand l=b [<5(a)l .“6 A)™*/' ' 

It is important that the number of possible V 'F^A^nd s{a) 

Arand hb [<5 (S)] ,S 6 ’ ' 

finite, when if ranges over all £[T]-formulae with a bounded number of free 
variables. 
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Given = QkXi, . . . G FO({Qiy})[r] and a G 

-4rand |= since Qk is finitely witnessed, there exists a finite D C A^and to 
fulfill 

{D, (_, a) r (_ , a) r F>) G K. 

Such D may not be unique, so fix one specific . 

Then we set 

n = max{|£»j^“^j_^^ | Aand [= , I'*/'^i]][^(a)], 

where tp = QrXi, . . . ,Xs[tjji, ■ ■ • , V's] G C[t] 
with |FV(i^)| < t, hence |FV('0j)| <t + n, 
and a G }. 

By the discussion in the beginning and the finiteness of 6 {a), the right-hand set 
is also finite, so n is well defined. 

Now for any p = QkXi, . . . ,Xs[tpi, ■ ■ ■ ,tps] G L[t] with |FV((p)| < t and a G 
^rand”*^^'! assume ^rand |= ^\^], by | ] is an equivalent translation and Lemma 3, 

we have Aand h Qkxi, . . . ,Xs[l'ipij, . ■ . jl'ipsWSia)]. Hence exists, 

i.e. 

Moreover j| < n. Like the proof of Lemma 3, S{a) i — > a can be 

extended to an automorphism h : H^and ^rand with h{S{a)) = a. Then we 
deduce 

f I,..]. 

-...V-N“(_.«(a))rijKi „.,)eiT, 

by I ] is an equivalent translation, 

^ f 

„.,))£ A', 

as L is closed under isomorphisms. 

So Mrand \ J ) witnesses Aand h QkXi , . . . , [V^i , . • . , V's] [a] with 

required < n. □ 

Now we say a set of generalized quantifiers Q is closed under extensions, 
finitely witnessed or finitely based if each Qk G Q is respectively so. 

Theorem 6. Assume a finite set of generalized quantifiers Q is finitely based, 
and t G N. There exists an t G N such that for any p G and d G 

^rand”*^^'’ z/ Mrand H T[d], then for any finite A \= Ci and a! G with 

TA,a' = Z^Aand.a’ “'e have A h tW]- 
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Proof. Let n be the maximum such as in Lemma 4, when Qk ranges over the 
finite set Q. Take i = n + t. First for any (p, we can use De Morgan Law 
to push all its negation symbols either the atomic level or right before a Qk- 
Then we proceed by induction on the structure of such transformed p. Note as 
mentioned before 3 can be treated as a finitely based Qk, so the cases of first 
order quantifiers are absorbed in the discussion of general finitely based Qk- 

(i) p is atomic or negated atomic, trivial. 

(ii) The proof for p = f\ pj or Y pj is an easy induction argument. 

j&J j&J 

(iii) p = QkXi, ... ,Xs[tpi, - ■ - ,tps] where Qk G Q and clearly |FV((^)| < t. By 
definition Mrand |= is equivalent to 

As Qk is finitely witnessed, for some finite D C Arand> (L>, ( ,o) f 

D, . . . , ( , a) \ D) £ K. Moreover by Lemma 4, D can be chosen in a 

way such that \D\ < n. 

Now for any finite A \= Ci and a' € a> since 

|{«}| < |FV(i^)| <t, sot = n + t> \D\ + |{a}|, thus we can enlarge the partial 
isomorphism a! i — > a to h : S,a' i — ^ D,a between A and Mrand by Lemma 2 
for some S Q A. We claim 

\ f S')) 

= \ \ D). (1) 

Then it follows that (A, , o'), . . . , , a')) G K, since K is closed under 

isomorphisms and extensions, that is to say A ^ p\a'\. 

Indeed (1) is equivalent to for any 1 < j < s and e G S'^Q 

1^ Yj ] iii^ Ai-and 1^ i-^- A-rand 1pj[h(^6Q. )]. 

If Arand |= i^j[h{m')], observe p\^, = so by induction hypothesis, 

A 1= ^fj\ea']. The case for Arand |= “'V'j[^(eh')] is the same. 

(iv) p = -^QkXi, . . .,Xs[ifi, . . Arand |= p\a] i.e. 

(Arand,V'^“Y_,a).---.V'^^'“"(_,a)) ^ K. 

Given any finite A with A \= Ci and a' G with p\-^, = 

i.e. a' I — > a is a partial isomorphism between A and Arand, moreover it can 
be extended to an isomorphic embedding h : A ^ Arand with h{a') = a, by 
Lemma 2 for Arand H ^\A\- Similar to (iii), we shall prove 

^((A, a'))) 

C (Arand , (_ , o) , . . . , (_ , o) ) • (2) 

Then assume contrarily A ^ ~^p\a'], i.e. ,a'), . . . ,a')) G K. 

Because K is closed under isomorphisms and extensions, we would have 

(Arand, <■■“"(_, a),..., a)) G K 
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by (2), a contradiction. Therefore A ^ 

To establish (2), it amounts to show that for any 1 < j < s and e G , 

^ [eO. ] iff -4.1-and 1^ -^rand , 

of which the proof is identical to the last part of (iii). □ 

Corollary 3. For a finite set of generalized quantifiers Q, satisfies the 

labeled 0-1 law, if Q is closed under extensions. 

Proof. 

To make Theorem 6 applicable, Q must be also finitely witnessed. Set 

= {Qjij I Qk G Q, Kin = {-4 I for some finite A' € K, A' C yl}}. 

It is easy to verify that QI^ is finitely based for any Q, and more importantly QI^ 
behaves exactly the same as Q on all finite structures provided Q is closed under 
extensions. So we can safely assume Q is finitely based. Then the result follows 
from the fact that each has the asymptotic probability 1 and Theorem 6. □ 

When Q is an infinite set of generalized quantifiers closed under extensions, 
for any logic £ < C‘fnuj with finitary syntax like FO, LFP and PFP, that is, each 
sentence in £(Q) only involves finitely many Qks, we can argue in the same way 
as if Q were finite like the above corollary, so the 0-1 law still holds in £(Q). 
But for £‘fnuj itself, consider the sentence 

ip = \J 3-''x{x = x) A = x), 

I is even. 

surely it defines the Parity property which has no asymptotic probability, while 
each 3-* is finitely based, so Theorem 6 and Corollary 3 can by no means 
be extended to infinite Q. Nevertheless finite many of generalized quantifiers 
usually do not suffice. One typical situation of infinite many quantifiers is the 
vectorization, which extends a given quantifier to finite Cartesian product of 

k 

the universe of the original structure. For instance, TP can be viewed as the 
fc- vectorization of monadic TP. Another extension of much interest is the rela- 
tivization which closes the Lindstrom logic under definable unary set. Combine 

k 

them together, we have for any Qk, its relativized /c-vectorization Q is the 
Qk' for K' = {{A, U) \ U C and {U, f U,. . . , R-f f U) G K}. It is easy to 
prove being closed under extensions, finitely witnessed and finitely based are all 

k 

preserved under relativization and vectorization. Observe that each must 
consume k -\- ^ kri distinct variables, so there are only finite many types of 

l<i<s 

k 

Q 51* that are valid to appear in a formula for any given t, thus we have 

Corollary 4. For a finite set Q ofQx closed under extensions, 
the labeled 0-1 law, where Q™* = {Q'^k I Qk € Q,k G N}. 
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A similar argument can be applied to so Theorem 5 holds. Note 

one of its immediate consequences is that Hamiltonicity can not be defined in 
partition logic, for FO[Ham], the minimal regular logic capturing Hamiltonicity 
does not have a 0-1 law[2]. 
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Abstract. We prove an existential version of Gaifman’s locality theorem 
and show how it can be applied algorithmically to evaluate existential 
first-order sentences in finite structures. 



1 Introduction 

Gaifman’s locality theorem [12] states that every first-order sentence is equivalent 
to a Boolean combination of sentences saying: There exist elements oi, . . . ,ak 
that are far apart from one another, and each satisfies some local condition 
described by a first-order formula whose quantifiers only range over a fixed- 
size neighborhood of an element of a structure. We prove that every existential 
first-order sentence is equivalent to a positive Boolean combination of sentences 
saying: There exist elements ai,... ,Ok that are far apart from one another, 
and each Oj satisfies some local condition described by an existential first-order 
formula. 

The locality of first-order logic can be explored to prove that certain proper- 
ties of finite structures are not expressible in first-order logic, and it seems that 
this was Gaifman’s main motivation. More recently, Libkin and others considered 
this technique of proving inexpressibility results using locality in a complexity 
theoretic context (see, e.g., [5,15,14,16]). 

A completely different application of Gaifman’s theorem has been proposed in 
[11]: It can be used to evaluate first-order sentences in certain finite structures 
quite efficiently. In general, it takes time to decide whether a structure 

of size n satisfies a first-order sentence of size /, and under complexity theoretic 
assumptions, it can be proved that no real improvement is possible: The problem 
of deciding whether a given structure satisfies a given first-order sentence is 
PSPAGE-complete [18,20], and if parameterized by the size of the input sentence, 
it is complete for the parameterized complexity class AW[*] [7]. The latter result 
implies that it is unlikely that the problem is fixed-parameter tractable (cf. [6]), 
i.e., that it can be solved in time f{l) ■ n°, for a function / and a constant c. 

Gaifman’s theorem reduces the question of whether a first-order sentence 
holds in a structure to the question of whether the structure contains elements 
that are far apart from one another and satisfy some local condition expressed 
by a first-order formula. In certain structures, it is much easier to decide whether 
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an element satisfies a local first-order formula than to decide whether the whole 
structure satisfies a first-order sentence. An example are graphs of bounded 
degree: Local neighborhoods of vertices in such graphs have a size bounded by a 
constant only depending on the radius of the neighborhoods, so the time needed 
to check whether a vertex satisfies a local condition does not depend on the 
size of the graph. Another, less obvious example are planar graphs. To evaluate 
local conditions in planar graphs, we can exploit the fact that in planar graphs 
neighborhoods of fixed radius have bounded tree-width [17]. In general, such a 
locality based approach to evaluating first-order sentences in finite structures 
works for classes of structures that have a property called bounded local tree- 
width; the class of planar graphs and all classes of structures of bounded degree 
are examples of classes having this property. It has been proved in [II] that for 
each class C of structures of bounded local tree-width there is an algorithm that, 
given a structure A G G and a first-order sentence ip, decides whether A satisfies 
p in time near linear in the size of the structure A (the precise statement is 
Theorem 7). 

While a linear dependence on the size of the input structure is optimal, the 
dependence of these algorithms on the size of the input sentence leaves a lot 
to be desired: There is not even an elementary upper bound for the runtime in 
terms of the size of the sentence. Although the dependence of the algorithm on 
the structure size matters much more than the dependence on the size of the 
sentence, because usually we are evaluating small sentences in large structures,^ 
it would be desirable to have a dependence on the size of the sentence that is not 
worse than exponential. Of course, since we are dealing with a PSPACE complete 
problem, we cannot expect the runtime of an algorithm to be polynomial in both 
the size of the input structure and the size of the input sentence. 

We have observed that one of the main factors contributing to the enormous 
runtime of the locality based algorithms in terms of the formulas size is the 
number of quantifier alternations in the formula. This has motivated the present 
paper. We can use a variant of our existential locality theorem to improve the 
algorithms described above to algorithms whose runtime “only” depends doubly 
exponentially on the size of the input sentence. 

In this paper we concentrate on the proof of our existential locality theorem, 
which is surprisingly complicated. This proof is presented in Section 3. The 
algorithmic application is outlined in Section 4. 



2 Preliminaries 

A vocabulary is a finite set of relation symbols. Associated with every relation 
symbol i? is a positive integer called the arity of R. In the following, r always 
denotes a vocabulary. 

^ The generic example is the problem of evaluating SQL database queries against finite 
relational databases, which can be modeled by the problem of evaluating first-order 
sentences in finite structures. 
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A T-structure A consists of a non-empty set A, called the universe of A, 
and a relation R-^ C A"^ for each r-ary relation symbol R G t. For instance, we 
consider graphs as {if}-structures G = (G,E^), where the binary relation 
is symmetric and anti-reflexive (i.e. graphs are undirected and loop-free). If A 
is a r-structure and B C A, then {B)-^ denotes the substructure induced by A 
on B, that is, the r-structure B with universe B and i?® := R-^ fl B^ for every 
r-ary R G t. 

The formulas of first-order logic are build up from atomic formulas using the 
usual Boolean connectives and existential and universal quantification over the 
elements of the universe of a structure. Remember that an atomic formula, or 
atom, is a formula of the form x = y or R{x \, . . . , Xr), where R is an r-ary relation 
symbol. The set of all variables of a formula Lp is denoted by var(i^). A free 
variable in a first-order formula is a variable x not in the scope of a quantifier Bx 
or Vx. The set of all free variables of a formula p is denoted by free((p). A sentence 
is a formula without free variables. The notation <p(xi , . . . , Xk) indicates that all 
free variables of the formula p are among x\,... ,Xk', it does not necessarily 
mean that the variables x\, . . . , all appear in Lp. For a formula p{xi , . . . , Xk), 
a structure A, and ai, . . . ,Ok G A we write A |= <p(ai, . . . , Uk) to say that A 
satisfies (p if the variables xi, . . . ,Xk are interpreted by the vertices oi, . . . , Ofc, 
respectively. 

The weight of a first-order formula (p is the number of quantifiers 3x and Vx 
occurring in (p. 

A first-order formula is existential if it contains no universal quantifiers and 
if every existential quantifier occurs in the scope of an even number of nega- 
tion symbols. A literal is an atom or a negated atom. A conjunctive query with 
negation is a formula of the form 3x/\™ Aj, where each Ai is a literal. Every 
existential formula p of weight w and length I is equivalent to a disjunction of 
at most 2* conjunctive queries with negation, each of which is of weight at most 
w and length at most 1. 

We often denote tuples a\. . .Ok of elements of a set A by d, and we write 
d G A instead of a G A^. Similarly, we denote tuples of variables by x. 

Our underlying model of computation is the standard RAM-model with ad- 
dition and subtraction as arithmetic operations (cf. [1,19]). In our complexity 
analysis we use the uniform cost measure. Structures are represented on a RAM 
in a straightforward way by listing all elements of the universe and then all tu- 
ples in the relations. For details we refer the reader to [10]. We define the size 
of a T-structure A to be ||Al|| := |A| 3- r-ary ^ this is the length of 

a reasonable representation of A (if we suppress details that are inessential for 
us). We fix some reasonable encoding for first-order formulas and denote by ||i^|| 
the size of the encoding of a formula p. 

2.1 Gaifman’s Locality Theorem 

The Gaifman graph of a T-structure A is the graph Ga with vertex set A and 
an edge between two vertices a,b G A if there exists an i? G t and a tuple 
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a\...ak G such that a,b G {ai,... ,Ofc}. The distance d-^{a,b) between 
two elements a,b G A of a structure A is the length of the shortest path in 
Q_A connecting a and b. For r > 1 and a G A, we define the r -neighborhood of 
a in ^ to be := {6 G ^ | d-^{a,b) < r}. For a subset B C A we let 

N^(B) := 

UfcGB N^ib). ^ 

For every r > 0 there is an existential first-order formula Sr{x, y) such that for 
all r-structures A and a,b & A we have A [= Sr{a, b) if, and only if, d-^(a, b) < r. 

In the following, we write d{x,y) < r instead of 5r{x,y) and d{x,y) > r instead 
of -^Sr(x,y). 

If f{x) is a first-order formula, then is the formula obtained from 

g}{x) by relativizing all quantifiers to Nr{x), that is, by replacing every subfor- 
mula of the form 3yip{x,y, z) by 3y{d{x,y) < r A 4’{x,y,z)) and every subfor- 
mula of the form \/yip{x,y, z) by 'iy{d{x,y) < r — >■ ip{x,y,z))- We usually write 
3y G Nr{x) ip instead of 3y{d{x,y) < r A 'p) and Vy G Nr{x) ip instead of 
'^y{d{x,y) <r ^ip). 

A formula ‘ip{x) of the form for some </j(a;), is called r -local. The 

basic property of r-local formulas ip{x) is that it only depends on the r-neigh- 
borhood of x whether they hold at x or not, that is, for all structures A and 
aGAwe have A ^ p^{a) if, and only if, (^N^{a)) ^ ■*/'(»)• Observe that if ip{x) 
is r-local and s > r, then ‘ip(x) is equivalent to the s-local formula tp^AA(^x). We 
often use this observation implicitly when considering r-local formulas as s-local 
for some s > r. 

Sentences can never be local in the sense just defined. As a substitute, we 
say that a local sentence is a sentence of the form 

3xi... 3xk ( A d{xi, Xj) > 2r A A P^(Xt)'j, 

l<i<j<k l<i<k 

where r, fc > 1 and 'tp(x) is r-local. 

Theorem 1 (Gaifman [12]). Every first-order sentence is equivalent to a Boolean 
combination of local sentences. 

3 The Existential Locality Theorems 

If ip{x) is an existential first-order formula, then for every r > 1 the r-local 
formula ip^'^^^'>{x) obtained from xp is also existential. We define a local sentence 

3xi... 3xk ( A d{xi, Xj) > 2r A A 

to be existential if the formula xp is existential and r-local. Let us remark that, in 
general, an existential local sentence is not equivalent to an existential first-order 
sentence, because the formula d{xi,Xj) > s is not existential for any s > 2. 

Theorem 2. Every existential first-order sentence is equivalent to a positive 
Boolean combination of existential local sentences. 
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Unfortunately, neither Gaifman’s original proof of his locality theorem (based 
on quantifier elimination) nor Ebbinghaus and Flum’s [8] model theoretic proof 
can be adapted to prove this existential version of Gaifman’s theorem. Gompared 
to these proofs, our proof is very combinatorial, which is not surprising, because 
there is not much “logic” left in existential sentences. 

We illustrate the basic idea by a simple example: 

Example 3. Let 



ip := 3x3y{p^E{x,y) A RED(a;) A Blue(j/)) 

(here E is a binary relation symbol and Red, Blue are unary relation symbols). 
Although the syntactical form of p is close to that of an existential local sentence, 
it is not obvious how to find a positive Boolean combination of existential local 
sentences equivalent to p. Here is one: 

3x3y(d{x, y) > 2 A (RED(a;) V Blue(j/)) A (Red(i/) V BhUE(y))) 

A 3x Red(x) a 3x Blue(x)^ 

V 3x 3x' £ N2(x)3y £ N 2 (x) (~'E(x', y) A Red(x') A Blue(j/)). 

To understand the following proof it is worthwhile trying to extend the idea of 
this example to the sentence 

3x3y3z(-'E(x, y) A ~'E{x, z) A ~'E{y, z) A Red(x) A Blue(j/) A Green(z)) 

(although it is very complicated to actually write down an equivalent positive 
Boolean combination of existential local sentences). Indeed, it is the main dif- 
ficulty of the proof to handle sentences saying “there is an independent set of 
points xi, . . . , Xfc of colors ci, . . . , Cfc, respectively.” Playing with such sentences 
leads to the crucial observation that the basic combinatorial problem can be 
handled by the marriage theorem (as it is done in Step 4 of the proof of Lemma 

4). 

The proof requires some preparation. We define the rank of a local sentence 

3xi... 3xk ( A d{xi, Xj) > 2r A A 

l<i<j<k l<i<k 

to be the pair (fc -|- w,r), where w is the weight of ip- We partially order the 
ranks by saying that {q, r) < {q', r') if q < q' and r < r'. 

Lemma 4. Let k > 2, r > 1, w > 0, and let A, B he structures such that every 
existential local sentence of rank at most {k ■ {w + 1), 2^ r) that holds in A also 
holds in B. Let 

k 

p •.= 3xi . . .3xk{^ l\ d{xi,Xj) > 2^ r A l\tpi{x^)^, 

l<i<j<k i—1 
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where for 1 < i < k, the formula tpi(xi) is r-local, existential and of weight at 
most w. Suppose that A\= p. 

Then 

k 

B \=3xi . . ,3xk{^ f\ d{xi,Xj) > 2r A l\ifi{xi)^. 

l<i<j<k i—1 



Proof: We prove the lemma in four steps. 

Step 1. We show that if for some 1 < Z < A:, say I = k, there are bi, . . . ,bk & 
B such that d{bi, bj) > 4r for 1 < i < j < fc, and B |= ifi{bi) for 1 < i < k, then 
it suffices to prove that 

fc-i 

B \=3xi . . .3xk-i{^ l\ d{xi,Xj)>2rA 

l<i<j<k — l i—1 

To see this, suppose that we have such bi, . . . ,bk and we find ci, . . . , Ck-i such 
that d{ci, Cj) > 2r for all 1 < i < j < fc — 1, and B ^ V’i(ci) for 1 < t < A: — 1. 
Then there will be at least one i,l ^ ^ k such that bi has distance greater 

than 2r from cj for all J, 1 < J < A: — 1. Thus ci, . . . , Cfc_i, bi witness that 

k 

B \=3xi . . .3xk{^ A d(xi,Xj)>2rA 

l<i<j<k i—1 

So without loss of generality, in the following we assume that for 1 < f < A:, 
there are at most {k — 1) elements of B of pairwise distance greater than 4r 
satisfying ipi. 

Step 2. We let K := {1, . . . , A:}, and for every set I C K we let ifi{x) := 
\/iei Note that is a formula of weight at most k ■ w. Let C := {c £ B \ 

B ^ ■0k(c)}. By the assumption we made at the end of Step 1, there exist at 
most k{k — 1) elements of C of pairwise distance greater than 4r. 

Claim: There are p, 1 < p < k{k — 1) + 1, 1 < ? < k{k — 1), and elements 
Cl, . . . ,C[ G C such that d^{ci, Cj) > 2^’+^r for 1 < z < j < /, and for all c G C 
there exists an z < ^ such that dP{c^ cf) < 2^r. 

Proof: We construct ci, . . . , c; inductively: As the inductive basis, let ci be 
an arbitrary element of C. If Ci, . . . ,Ci are constructed, we choose c^+i G C such 
that for 1 < j < z we have d®(ci+i, Cj) > jf no such cz+i exists, 

we let I := i, p := k{k — 1) + 1 — (? — 1) and stop. 

Our construction guarantees that for 1 < z < j < I we have 

d^{ci,cj) > 2Mfc-i)+i-0-2)^^ (1) 

For j < k{k — 1) + 1, this implies dP{ci,Cj) > 4r. Since there are at most 
k{k— 1) elements of C of pairwise distance greater than 4r, this guarantees that 
I < k{k — 1). (1) also guarantees that for 1 < z < j < I we have d^{ci,Cj) > 

2k(k-l) + l-(l-2) ^ _ 2P+lj- 
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Since we stopped at ^ = z, for all c G C there exists an z < I such that 
(fi{c,Ci) < 2fc(fc-i)+i-(J-i) = 2Pr. This proves the claim. 

Step 3. Let p, Z, ci, . . . , c/ be as stated in the claim in Step 2. For I C K, let 

(fii := 3xi . . .3xk (A d{xi,Xj) > 2^+Va f\ij;i{xi)^. 

i,j&I i&I 

i<j 

Since Al |= p, we have A\= ipi- Thus, since p/ is an existential local sentence of 
rank at most {k ■ {w + 1), 2^ r), we also have B ^ p/. 

Step 4- Let L := {1, . . . ,1}. We define a relation R C K x L as follows: 
For i G K,j & L let iRj if there is a b G B such that B ^ tpi{b) and 
cP{b, Cj) < 2Pr. 

Claim: For every I C K the set R{I) := {j G L \ 3i G I : iRj} contains at 
least as many elements as I. 

Proof: Recall that B ^ (fj. For i G I, let bi G B, such that for all i,j & I 
with z < j we have dP{bi,bj) > 2^*+^r and for all z G / we have B \= ipi{bi). 
Then bi G C, and thus there exist a j G L such that dP{bi,Cj) < 2^r. Since 
dP{bi,bj) > 2^+^r, for every j G L there can be at most one i G I such that 
dP{bi^Cj) < 2Pr. This proves the claim. 

By the marriage theorem, there exists a one-to-one mapping f of K into L 
such that for all z G AT we have iRf{i). In other words, there exist bi, . . . ,bk 
such that for 1 < z < fc we have B |= ^fi{bi) and dP {bi,Cf(^i)) < 2Pr. Since 
^ 2P+^r, the latter implies d’^{bi,bj) > 2r. Thus 

k 

B \=3xi . . .3xk{^ l\ d{xi,Xj)>2r/\ 



Lemma 5. There is a function f{k), such that the following holds for all k > 1: 
Let A, B be structures such that every existential local sentence of rank {k{k + 
l),/(fc)) that holds in A also holds in B. Then every existential sentence of 
weight at most k that holds in A also holds in B. 

Proof: Since every existential sentence is equivalent to a disjunction of conjunc- 
tive queries with negation of the same weight, it suffices to prove that every 
conjunctive query with negation of weight k that holds in A also holds in B. Let 

(fi :=3xi... 3xki’{xi , . . . ,Xk) 



->p{xi, ... ,Xk) := ( /\ a* A 

2=1 2=1 



with 
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where all the are atoms and the (3i are negated atoms. Suppose that A 1= (p. 
We shall prove that B \= (p. 

We define the positive graph of p to be the graph Q with universe G := 
var(i^) = {xi, . . . , Xk} and 

:= {xy I 1 < i < p : x,y G var(aj)}. 

Let Til, .. . ,'Hr be the connected components of G- Without loss of generality, 
we may assume that for 1 < i < r we have Xi G Hi. Then we know that Hi C 
N^{xi). If r = 1, then this means that var(p) C N^{xi), and p is equivalent to 
the /c-local sentence 



3xi 3x2 G Nk{xi) . . . 3xk G Nk{xi)tp 



of rank (fc, k). If we choose / such that f{k) > k, then A\= p implies B \= p.ln 
the following, we assume that r > 2. 

Let Co := 0 and Cj+i := + A: + 1) for i > 0. We let R := {{i,j} \ 1 ^ 

i < j < r"\, h := \R\ = ( 2 ) and 

f{k)=2'^\ch + k+l). (2) 

For a = a\ ... Ur G A’’, the distance pattern of d is the mapping Aa : R — 
{0, . . . ,h} defined by 

{ 0 if Uj) = 0 

t if C( < d-^{ai, Oj) < Ct+i for some t such that 0 <t < h 
h if d-^{ai,aj) > Ch 

By the pigeonhole principle, for every distance pattern A there is an integer 
gap(Z\) such that 0 < gap(Z\) < h and Z\({i, j}) gap(Z\) for all {i,j} G R. 

Let d = a\. . .Ok G A^ such that A ^ f^{d). Let A := Z\oi...ar) and g := 
gap(Z\). Then for all {i,j} G R we either have d{ai,aj) < Cg or d{ai,aj) > 
2^ (cg+k+1). This implies that the relation on {oi, . . . , Ur} defined by d-^{ai, Oj) 
< Cg is an equivalence relation. Without loss of generality, we may assume that 
oi, . . . , Os form a system of representatives of the equivalence classes. 

We let I := Cg + k. For 1 < i < s, we let li := {j | 1 < j < k, d-^{ai, Oj) < 1}. 
Then {Ii)i<i<s is a partition of {1, . . . , k}. To see this, first recall that for 1 < 
j < r there is an z, 1 < i < s such that d-^{ai, aj) < Cg. For t with r + 1 < t < fc 
there exist a j, 1 < j < r such that Xt G Hj , the connected component of Xj in 
the positive graph of p. Since A |= i^id), this implies that d-^{aj,at) < k. Thus 
there exists an z, 1 < z < s such that d-^{ai, at) < Cg + k. 

For 1 < z < s, we let 



ipi{x^) := 3x^' G Nl{x^) f\ a^A f\ Pi, 

var(o:i)C/j var(/3i)C/i 
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where a;* consists of all variables Xj with j G Ii\ {i}. Then for 1 < z < s we have 
A \= because A |= ip{a). Thus 

A\=3xi . . ,3xs(y^ l\ d{xi,Xj) > 2 '' {I + 1) A f\ ipiixi)^ 

Since /(fc) = 2^^ {ch + A: + 1) > 2^^(/ + 1), by Lemma 4, this implies 
B [=3xi . . ,3xs(^ f\ d{xi,Xj) > 2{l + 1) A i!)i{xi)^. 



Thus there exist 61 , . . . ,bs & B such that for 1 < z < j < s we have d^{bi, bj) > 
2{l + 1) and for 1 < z < s we have B ^ ipi{bi). Since Ii, . . . , /g is a partition of 
{ 1 , . . . ,k}: there are bg+i, ... ,bk & B such that: 

(i) dP{bi,bj) < I for all j G B. 

(ii) B 1= aj(b) for all j, 1 < J < p such that var(o;j) C Ij. 

(iii) B \= Pj(b) for all J, 1 < j < (? such that var(/3j) C Ij. 

We claim that B ^ tp(b)- Since for each connected component Hj of the positive 
graph of ip there is an z, 1 < z < s such that t G Ii whenever Xt G Hj, (ii) 
implies that B ^ cej(b) for 1 < j < p. It remains to prove that B ^ Pj(b) for 

1 < J < <Z- If var(/3j) C B for some z, then B \= /3j(b) by (iii). Otherwise, fdj 

has variables Xu,Xy such that there exist i ^ i' with Xu G Ii,Xy G Ii’. Then 
by (i), dP{bi,bu) < I and d’^{bi>,bv) < 1. Since dP{bi,bii) >21 + 1, this implies 
d^{bu, by) > 1. Since fdj is a negated atom, this implies B ^ f3j(b). 

Thus B \= ip. □ 

Proof (of Theorem 2): Let ip be an existential sentence of weight k and 1C := 
{A\ A \= ip} the class of all finite structures satisfying ip. Let T be the set of 
all existential local sentences of rank at most {k{k + l),f{k)), where / is the 
function from Lemma 5. Let 



P := V A 

A&JC • 06 ^' 

Ahb 

We claim that ip is equivalent to ip' . The forward implication is trivial, and the 
backward implication follows from Lemma 5. Since up to logical equivalence, the 
set T is finite and therefore ip' contains at most non-equivalent disjuncts, 
this proves the theorem. □ 

Our proof of the existential version of Gaifman’s theorem does not give us 
good bounds on the size and rank of the local formulas to which we trans- 
late a given existential formula. Therefore, for the algorithmic applications, it is 
preferable to work with the following weaker version of Theorem 2, which gives 
us better bounds. 
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An asymmetric local sentence is a sentence Lp of the form 
3xi . . .3xk{^ /y d{xi,Xj)>2rA A 

l<i<j<k l<i<k 

where r, fc > 1 and ipi{x),... ,ipkix) are r-local. ip is an existential asymmetric 
local sentence, if in addition 'ipi(x), . . . jipkix) are existential. 

An r-local conjunctive query with negation, for some r > 1, is a formula 
of the form 3yi G Nr{x) . . . G Nr{x) where each Xi is a literal. 

Theorem 6. Every existential first-order sentence (p is equivalent to a disjunc- 
tion p>' of existential asymmetric local sentences. 

More precisely, if k is the weight of (p and I its size, then ip' is a disjunction 
of 1 asymmetric local sentences of the form 

3xi . . .3xk{^ A d{xi,Xj)>2rA A 

l<i<j<k l<i<k 

where ipi, . . ■ , V'fe are r-local conjunctive queries with negation. The rank of each 
of these local sentences is at most {k,2^ and their size is in 0{l). 

Furthermore, there is a polynomial p and an algorithm translating ip to ip' in 
time 



Proof: We first assume that is a conjunctive query with negation, say, 

tp:=3xi... ^Xk-ipixi ,... ,Xk) 

with 

p q 

'ip{xi, ... ,Xk) := y A ^ A 

i=l i=l 

where all the are atoms and the fii are negated atoms. Without loss of gener- 
ality, we may assume that k >2, because for fc = 1 there is nothing to prove. We 
define the positive graph of (p to be the graph Q with G := var((^) = {x\, . . . , Xk} 
and 



:= {xy \ 3i,l < i < p : x,y € var(ai)}. 

Let Hi,. . . ,Hr be the connected components of Q. Without loss of generality, 
we may assume that r >2, and that for 1 < t < r we have Xi G Hi. Then we 
know that Hi C N^{xi). 

Let Co := 0 and Cj+i := 2(ci 3- fc 3- 1) for t > 0. Let R := {{i,j} | 1 < f < J < 
r} and h := |i?| = (Q. It is not difficult to prove that 3- fc 3- 1 < 2*^+^. 

Let A be a structure and d = ai . . . G A'’. The distance pattern of d is the 
mapping 



Aa '. R -A {0, ... ,h} 
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defined by 

{ 0 if Oj) = 0 

t if Ct < Oj) < Ct+i for some t such that 0 <t < h 

h if d-^{ai,aj) > Cfi 

By the pigeonhole principle, for every distance pattern A there is a number 
gap(Z\),0 < gap(Z\) < h such that A{{i,j}) yf gap(Z\) for all {i,j} G R. 

Let d £ A’’, A := Aa, and g := gap(Z\). Then for all {i,j} £ R we either 

have d{ai, aj) < Cg or d{ai, aj) > 2(cg + /c + 1). This implies that the relation on 

{oi, . . . , ar} defined by d-^{ai, aj) < Cg is an equivalence relation. Without loss 
of generality, we may assume that oi, . . . , form a system of representatives of 
the equivalence classes. 

Now suppose that we extend ai . . . Or to a fc-tuple d = a\ ... ak £ A^ such 
that A ^ i^{d). We let I := Cg + k. For 1 < i < s, we let /j := {j \ d-^{ai, aj) < 1}. 
Then {Ii)i<i<s is a partition of {!,... ,k}- For 1 < i < s, we let 

:= G lV/(xj) f\ a^ A f\ (3i, 

var(o:i)C7j var(/3i)C/i 

where consists of all variables Xj with j £ Ii \ {i}, and 

. . ,Xs) := f\ d{xi,Xj) >2{l+l) A f\ ipi{xi). 

Then A |= • , Os)- Furthermore, for every tuple a'^. . .a'g £ A'^ with A |= 

ipAia'i, . . . ,a'g) there exists an extension d' := a[ . . . a'f. such that A ^ tp{d'). To 
see this, observe that every positive literal aj occurs in an R and thus in if) a, 
and every negative literal Pj either occurs in an R or has variables with indices 
in two distinct R,R' &nd is thus automatically satisfied, because the variables 
are forced to be far apart. 

The formula 4>a{xi,... ,Xk) only depends on the distance pattern A and 
not on the tuple d realizing it. So for every distance pattern A we obtain a for- 
mula R’a{x‘^)i whose free variables x'^ are among xi, . . . , x^, with the following 
properties: 

- 3x^ipA is an existential asymmetric local sentence of rank at most {k, 2^ +^). 
- For every tuple d £ A^ with A ^ f/'(o) and Ag, = A we have A ^ tpAid"^), 
where d^ consists of the same entries of d as x'^ of x. 

- Every tuple with A ^ ipA{d^) can be extended to a tuple d = a\ ... ak 
such that A 1= Pid). 

The last two items imply that (p is equivalent to the formula 

p' := \J ^x'^ipA- 

A distance pattern 




110 



Martin Grohe and Stefan Wohrle 



It is not hard to see that the number of distance pattern is in 2'^^* \ thus (p 
is a disjunction of ^ existential asymmetric local sentences of rank at most 
(fc, 2^ and size in 0{l) (where I denotes the length of (p). 

If p is an arbitrary existential sentence, we first transform it to a disjunction 
of at most 2* conjunctive queries with negation of the same weight as p. 

Finally, we observe that the translation from p to the disjunction of asym- 
metric local formulas is effective within the desired time bound: Given p, we 
first translate it to a disjunction of conjunctive queries with negation. This is 
possible in time Then we treat each of the conjunctive queries with nega- 

tion separately. We compute the positive graph and all possible patterns. For 
each of pattern A, we compute the gap and then the formula pA- Since k < I, 
this is clearly possible in time for a suitable polynomial p. □ 



4 An Algorithmic Application 



The appropriate structural notion for the algorithmic applications of locality is 
bounded local tree-width. We assume that the reader is familiar with the definition 
of tree-width of graphs (see e.g. [4]). The tree-width of a structure A, denoted by 
tw(A), is the tree- width of its Gaifman graph. The local tree-width of a structure 
A is the function ltw _4 : N — >■ N defined by 



Itw^(r) := max|tw((iV;('(a))) a G 4|. 



A class G of structures has bounded local tree-width if there is a function A : N — >■ 
N such that ltw_ 4 (r) < A(r) for all A G G,r G N. Many well-known classes of 
structures have bounded local tree-width, among them the class of planar graphs 
and all classes of structures of bounded degree. 



Theorem 7 (Ftick and Grohe [11]). Let G be a class of structures of bounded 
local tree-width. Then there is a function f and, for every e > 0, an algorithm 
deciding in time 0(/(||(p||)|A|^+'^) whether a given structure A G G satisfies a 
given first-order sentence p. 



If the class G is locally tree-decomposable, which is a slightly stronger require- 
ment than having bounded local tree-width, then there is a function / and an 
algorithm deciding whether a given structure A G G satisfies a given first-order 
sentence p in time 0(/(||(^||)|A|). 

These algorithms proceed as follows: Given a structure A and a sentence 
p, they first translate to a Boolean combination of local sentences. Then 
they evaluate each local sentence and combine the results. To evaluate a local 
sentence, say, 

j\ d{xi,Xj)>2rA 

l<i<j<k l<i<k 



they first compute the set tp{A) of all a G A such that A \= "if (a). Since ip 
is local and the class G has bounded local tree-width or even is locally tree- 
decomposable, this is possible quite efficiently. (In the special case of structures 
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of bounded degree, this is easy to see, because ^ only has to be evaluated in 
substructures of A of bounded size.) Finally, the algorithms test whether there 
are Oi, . . . ,Ofc € '//’(A) of pairwise distance greater than 2r. This is possible in 
linear time by the following lemma: 

Lemma 8 (Frick and Grohe [11]). Let C be a class of structures of bounded 
local tree-width. Then there is a function g and an algorithm that, given a struc- 
ture A, a subset P C A, and integers k,r, decides in time 0{g{k,r)\A\) whether 
there are a \, ... ,Uk € P of pairwise distance greater than 2r. 

The drawback of these algorithms is that we cannot even give an elementary 
upper bound for the function / in Theorem 7. The main reason for the enormous 
runtime of the algorithms in terms of the formula size is that to evaluate the local 
formulas, they translate them to tree-automata, and in the worst case the size of 
these automata grows exponentially with each quantifier alternation. Therefore, 
it is a natural idea to bound the number of quantifier alternations in order to ob- 
tain smaller automata. But this would require that the translation of first-order 
sentences into local sentences preserves the quantifier structure. Unfortunately, 
the known proofs of Gaifman’s theorem do not preserve the quantifier structure 
of the input formula. 

These considerations motivated the present paper. Indeed, Theorem 2 shows 
that existential first-order sentences can be translated into Boolean combinations 
of existential local formulas. The price we pay for this is that these Boolean 
combinations of existential local formulas can get enormously large. Therefore, 
we use Theorem 6, because this theorem at least gives us an exponential upper 
bound on the size of the resulting formula. To evaluate an asymmetric local 
sentence, say 



3a;i...3a:fc^ d{xi,Xj)>2rA A 

l<i<j<k l<i<k 

where the 'tpi are conjunctive queries with negation, we first compute the sets 
ifi{A), . . . , tpkiA). This can be done as in the algorithms described above, but is 
actually faster since the %pi are conjunctive queries with negation. We use Lemma 
9. Then we have to decide whether there are a\ G f)\{A),... ,Uk G i’k(A) of 
pairwise distance greater than 2r. Lemma 10 is an analogue of Lemma 8 for this 
more general situation. 

Lemma 9. There is a polynomial p and an algorithm that solves the following 
problem in time • |A|). 



Input: Structure A, conjunctive query with negation (p. 
Problem: Decide if ^ ^ i^. 



Details of the proof of Lemma 9 and the following Lemma 10 can be found 
in the full version of this paper [13] and in the second author’s Diploma thesis 
[ 21 ]. 
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Lemma 10. There is a polynomial p and an algorithm that solves the following 
problem in time . 



Input: Structure A, sets P\,. . . ,Pk^A, integer r > 1. 

Problem: Decide if there are Oi € Pi,.. . ,Ok € Pk of pairwise dis- 
tance greater than k. 



If we combine these two lemmas together with Theorem 6 and plug them in 
the algorithms described in [11], we obtain the following theorem. 

Theorem 11. Let C be a class of structures whose local tree-width is bounded 
by a function A : N — >■ N (i.e., for all A € C and r > 0 we have Itw^(r) < A(r ) ). 
Then there are polynomials p, q such that for every e > 0 there is an algorithm 
that, given a structure A and an existential first-order sentence ip, decides if 
A\= p in time 



O 




9(IIv=II + (i/0))+IIv’M + (i/0) 




i.e., in time doubly exponential in ||v3||, (1/e), A(g(||(^|| -I- (1/e))) and near linear 
in |A|. 

For many interesting classes of structures of bounded local tree-width, such 
as planar graphs, the local tree-width is bounded by a linear function A. 



5 Conclusions 

Our main result is an existential version of Gaifman’s locality theorem. It would 
be interesting to see if there are similar structure preserving locality theorems for 
other classes of first-order formulas, such as formulas monotone in some relation 
symbol or A72-formulas. The combinatorial techniques we use in our proof seem 
to be specific to existential formulas; we do not see how to apply them to other 
classes of formulas. With the algorithmic applications in mind, it would be nice 
to get better bounds on the size and rank of the Boolean combinations of local 
sentences the locality theorems give us, both in the existential and in the general 
case. 

In the second part of the paper, we show how a variant of our locality theo- 
rem can be applied to evaluate existential first-order sentences in structures of 
bounded local tree- width by improving an algorithm of [11] for the special case of 
existential sentences. We are able to prove a doubly exponential upper bound for 
the dependence of the runtime of the algorithm on the size of the input sentence. 
Though not really convincing, it is much better than what we have for arbitrary 
first-order sentences — recall that no elementary bound is known there — and 
it shows that quantifier alternation really is an important factor contributing to 
the large complexity. It might be possible to further improve the algorithm to 
obtain a (singly) exponential dependence on the size of the input sentence. But 
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even then we would probably not get a practical algorithm, because the hidden 
constant would still be too large. 

The best chance to get practical algorithms might be to concentrate on par- 
ticular classes of graphs, such as graphs of bounded degree or planar graphs, 
and use their specific properties. For example, the local tree-width of planar 
graphs is bounded by the function r i— >■ 3 • r, and it is quite easy to compute 
tree-decompositions of neighborhoods in planar graphs [2,9]. This already elim- 
inates certain very expensive parts of our algorithms. The algorithms can also 
be improved by using weaker forms of locality. We have taken a step in this 
direction by admitting asymmetric local sentences. Further improvement might 
be possible by admitting “weak” asymmetric sentences stating that there are 
elements of pairwise distance greater than s satisfying some r-local condition, 
where s is no longer required to be 2r. For the algorithms, it does not really 
matter if the local neighborhoods are disjoint, and relaxing this condition may 
give us smaller formulas. 
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Abstract. This paper presents a methodology for reasoning about the 
computational complexity of functional programs. We introduce a first 
order arithmetic AT° which is a syntactic restriction of Peano arithmetic. 
We establish that the set of functions which are provably total in AT°, is 
exactly the set of polynomial time functions. The cut-elimination process 
is polynomial time computable. 

Compared to others feasible arithmetics, AT° is conceptually simpler. 
The main feature of AT° concerns the treatment of the quantification. 
The range of quantifiers is restricted to the set of actual terms which is 
the set of constructor terms with variables. The inductive formulas are 
restricted to conjunctions of atomic formulas. 



1 Introduction 

1.1 Motivation 

We investigate feasible logics, that is systems in which the class of provably total 
functions is exactly the set of polynomial time functions. There are three main 
motivations: 

1. Proof development environments, which are based on the proofs-as-programs 
principle, such as Alf, Coq and Nuprl, synthetise correct programs. The ef- 
ficiency of a program is not guaranteed, though it is a crucial property of 
a running implementation. Benzinger [4] has developed a prototype to de- 
termine the runtime of Nuprl-extracted programs. Here, we propose instead 
a proof theoretical method to analyse the runtime complexity of extracted 
programs. 

2. Computational Complexity Theory (CCT) delineates classes of functions, 
which are computable within bounded resources. CCT characterisations are 
extensional, that is all functions of a given class are captured, but most of the 
efficients algorithms are missing. Runtime analysis of programs necessitates 
to reason on programs, or on proofs in the “proofs-as-programs” context. 
For this, we need to develop logics to study algorithmic contents of proofs. 

3. It seems worthwhile to develop feasible logics in order to reason about 
“polynomial-time mathematics”, analogous to constructive mathematics. 



L. Fribourg (Ed.): CSL 2001, LNCS 2142, pp. 115-129, 2001. 
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1.2 This Arithmetic 

We propose a sub-system of first order Peano arithmetic AT in which, intuitively, 
we quantify over terms that actually exist. The range of quantifiers is limited to 
terms, that we call actual terms. The set of actual terms is the free word algebra 
with variables. This restriction implies the actual elimination quantifier principle 
which stipulates that from Vx.A, we derive A[x p] where p is an actual term,z. e. 
p G T(W, T). The system AT is confluent and strongly normalizable. 



1.3 First Order Logic with Actual Quantification 

We present the natural deduction calculus AT. We assume some familiarity with 
natural deduction, see Prawitz [24] or Girard, Lafont and Taylor [9]. Terms are 
divided into different categories which are listed in Figure 1. Actual terms are 
built up from constructors of W, and variables of X, and forms the set T(W, X). 
The logical rules of AT are written in Figure 2. 

The difference with the A, V}-fragment of the minimal logic is the actual 
elimination quantifier principle which is obtained by the Vif®-rule. 



1.4 Arithmetic over Words with Actual Quantification 

We extend AT to an arithmetic AT(W) in order to reason about the free word 
algebra T(W). The set of words is denoted by a unary predicate W together 
with the rules displayed in Figure 3. Throughout, we shall make no distinction 
between the set of words {0, 1}*, and the set T(W) of constructor terms. 

Following Martin-L6f [22] and Leivant [18,20], the introduction rules indicate 
the construction of words, and the elimination rules specify the computational 
behaviour associated with them. Both elimination rules, that is the induction rule 
and the selection rule, are necessary, because of the actual elimination quantifier 
principle. Indeed, the induction rule schema Ind(W) corresponds to the usual 
induction. However, the range of the universal quantifier is restricted to actual 
terms. So, the last quantifier of the induction filters the instantiation through the 
Vif^-rule. Roughly speaking, an induction is guarded by a universal quantifier, 
like a proof-net box in linear logic. 



(Constructors) W B c 

(Function symbols) IF B ± 
(Variables) X B x 

(Words) T(W) B w 

( Terms) T (W, IF,X) B t 

(Actual terms ) 'T(W,X)Bp 



e I So I Si 

f I g I h I ... with fixed arities 
x\y \ z \ ... 
e I so(w) I si(w) 
e I so{t) I si(t) I f(ti, ... ,tn) \ X 
e I so{p) I si(p) I X 



Fig. 1. Categories of terms 
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Premiss : A (Predicate A) 

Introduction rules Elimination rules 



{A} 

B 

^ I 

A^B 

Ai A2 

A7 

Ai A A 2 

A yx.A 

V7 V7?®, where p ^T{yV,X) 

Mx.A A[x p] 

Restrictions on the rules 

— In V7-rule, x is not free in any premiss. 

— In V75®-rule, p is an actnal term, i.e. p € T(W, X). 



A^B A 

}-E 

B 



A± A A 2 

AE 

Aj 



Fig. 2. Logical rules of AT 



On the other hand, the selection rule expresses that a word t is either the 
empty word e, or Si(y) for some term y. We shall employ the selection rule to 
perform definitions by cases over words. Unlike the induction rule, the term t 
in the conclusion of the selection rule can be any term. It is worth noticing 
that the application of the selection rule is restricted. There is no application of 
VU ®-rule in the derivations tTsq and tTsj^ . Thus, we prohibit nested applications 
of induction rule, inside the selection rule. Otherwise it would be possible to 
unguard an induction. 

2 Reasoning over Programs 

2.1 First Order Functional Programs 

An equational program f is a set of (oriented) equations £. Each equation is of 
the form f (pi, • • • ,p„) — >■ t where each pi is an actual term, and corresponds to 
a pattern. The term t is in T(W,lF, A) and each variable of t also appears in 
,Pn)- 

The semantics is based on term rewriting. One might consult [7] about general 
references on rewrite systems. A set of equations £ induces a rewriting rule u ^ v 
if the term v is obtained from u by applying an equation of £. We write t —I s 
to mean that s is a normal form of t. A program is confluent if the rewriting 
rule — >■ is confluent, i.e. has the Church- Rosser property. 
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Introduction rules 



W(l) Wit) 

-ITTT/ \ Sq/ Si/ 

W(e) W(so(t)) W(si(t)) 

Elimination rules 



Selection 



; 

W(j/)->A[so(y)] 



: 

W(y)->A[si(y)] ^[e] 

m 



W{t) 

Sel(W) 



yy.A{y],W{y)^Also{y)] yy.A[y],W{y)^A[si{y)] A[e] 

Induction Ind(W) 

Vx.W(a;)^>l[a;] 

Restrictions on the rules : 

— In Sel(W)-rule, derivations of ttso and ttsi do not use the rule V-E®. The variable 
y must not occur in any assumption on which A[t\ depends. 



Fig. 3. Rules for word reasonning in AT(W) 



Definition 1. A confluent equational program f computes a function |/] over 
T(W) which is defined as follows. 

For each w^, v G TfW), |/](wi, • • • , w„) = v tjff /(wi, • • • , w„) — > v, otherwise 
,w„) is undefined. 

2.2 Feasible Provably Total Functions 

Let f be an equational program. We define AT(f) as the calculus AT(W) ex- 
tended with the replacement rule below, 

A[u9] 

•* 

A[v9] 

where {v ^ u) £ S and 0 is a substitution X — >• T(W, X). 

Throughout, we abbreviate ti , • • • , r„ —>■ r by ti —>■(.. . (r„ — >■ r) . . . ) We write 
A\f\ to express that the term t occurs in the formula A. We write W (t) to express 
that the term t is the argument of the unary predicate W. 

Definition 2. A function (j) of arity n is provably total in AT(W) iff there are 
an equational program f such that (p = |/] and a derivation in AT(/) of 



Tot(/) = , W(a;„) ^ W(/(a;i, • • • ,x„)) 
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Definition 3. A formula A[x] is an induction formula z/Va;.W(x) — >■ A[x] is 
the conclusion of an induction. Define AT°(W) as the restriction o/AT(W) in 
which induction formulas are just conjunctions of predicates (i.e. atomic formu- 
las). 



Theorem 1 (Main resnlt). A function 4> is polynomial time computable if and 
only if the function (j) is provably total in AT*^. 



Remark 1. By removing the restriction on the elimination rule of the univer- 
sal quantifier in AT(W), we obtain a system which is equivalent to the sys- 
tem IT(W) developed by Leivant in [20]. The set of provably total functions 
in IT(W) is exactly the set of provably total functions in Peano arithmetic. 
Similarly, the provably total functions of AT°(W), without the restriction on 
universal quantifiers, are the primitive recursive functions. 

It is not difficult to modify AT to reason about any sorted algebra. In par- 
ticular, a consequence of Theorem 1 is that the set of provably total functions 
is exactly the set of functions computable in linear space. 



Example 1. We begin with the word concatenation whose equations are 
cat(e, w) ^ w 

cat(si(a;), w) — >■ Si(cat(x, w)) 1 = 0,1 

The derivation TTcatj below, shows that the concatenation is a provably total 
function of AT (cat). 



{W (cat(z, rc))} 
W(si(cat (z,w))) 



SiJ 

R 



V/ 



W(w) 



{W(z)} W(cat(si(z), w)) 

W(t),W(cat(t,ri;))— W(cat(si(z), w)) 

Vt.W (z), W(cat(z, w)) — >■ W(cat(si(z), rc)) W(cat(e, w)) 

Vx.W(a;) — ^ W(cat(cc, w)) 



R 



■ Ind(W) 



Notice that the term w is any term, and so w can be substituted by a non- 
actual term. Let us investigate the word multiplication whose equations are 



mul(e, x) — >■ e 

mul(si(y), x) — >■ cat(x,mul(?/, x)) 



i = 0, 1 
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The word multiplication is a provably total function as the derivation below 
shows it. 

{W (mul(z, x))} 

; 7 Tcat[w ^ mul(z,x)] 

Va;.W(a;)— W(cat(a;,mul(z, x))) 



W (a;) — )• W(cat(x, mul(z, x))) 



VS® 



{W(x)} 



W(cat( X, mul(z, x))) 
W(mul(si(z), x)) 






R 



W(z), W(mul(z, x)) — >■ W(mul(si(2), x)) 



/ 



V2.W(2), W(mul(z, x)) — >-W(mul(si(z), x)) 



■V/ 



W(e) 



el 



W(mul(e, x)) 



R 



(VS®;^ /; V/; V/) 



Vi/.W( 7 /) — ^W(mul(j/, x)) 
Vx.Vi/.W(x), W(i/) ^ W(mul(y, x)) 

Now, consider the equations defining the exponential : 

exp(e) ^ So(e) 



*^P(si(v)) ^ cat(exp(y),exp(y)) 



i = 0,1 



In order to establish that the program exp defines a provably total function, 
we have to make an induction. At the induction step, under the assumptions 
W(exp(t/)) and W(y), we have to prove W(cat(exp(j/), exp(t/))). However, 
exp(y) is not an actual term, and so we can not “plug in” the derivation TTcat to 
conclude. 



2.3 Comments 

These examples illustrate that actual terms play a role similar to terms of higher 
tier (safe) used in ramified recursions, as defined by Bellantoni and Cook [2], 
and Leivant in [19]. Intuitively, we do not assume that two terms are equal just 
because they have the same value. We are not concerned by term denotations, 
but rather by the resource necessary to evaluate a term, or in other words, by 
term intention. From this point of view, a non-actual term is unsafe. So, we have 
no justification to quantify over non-actual terms. On the other hand, there are 
no computation rules associated to actual terms, so they are safe with respect 
to polynomial-time computation. In a way, this idea is similar to “read-only” 
programs of Jones [12]. 

The concept arising from the work of Simmons [27], Bellantoni and Cook [2] 
and Leivant [19], is the ramification of the domain of computation and the rami- 
fication of recursion schemata. One usually compares this solution with Russell’s 
type theory. One unattractive feature is that objects are duplicated at different 
tiers. This drawback is eliminated here. It is amazing to see that this solution 
seems related to Zermelo or Quine answers to Russell’s type theory. 
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Lastly, the actual elimination quantifier principle reminds one of logic with 
existence predicate, in which quantifiers are supposed to range only over existing 
terms. The motivation is to take into account undefined terms. Such logics have 
their roots in works of Weyl [28] and Heyting [10], and have since extensively 
studied and are related to free logic. 

2.4 Others Feasible Logics 

Theories of feasible mathematics originate with Buss [5] on bounded arithmetic. 
Subsequently, Leivant [17] established that the functions provably total in second 
order arithmetic with the comprehension ax;iom restricted to positive existential 
formulas, are exactly the polynomial time functions. Leivant [18] also trans- 
lated his characterisation [19] of feasible functions by mean of ramified recursion. 
For this, he has introduced a sequence of predicate No,Ni, . . . corresponding 
to copies of N with increasing computational potential, (gagman, Ostrin and 
Wainer [6] defined a two sorted Peano arithmetic PA(; ) in the spirit of Bellan- 
toni and Cook [2]. They characterize the functions computable in linear space, 
and the elementary functions. Predicates have two kinds of arguments : safe and 
normal. Quantifiers are allowed only over safe terms and range over hereditary 
basic terms. 

In a recent article [21], Leivant suggests a new direction by giving some 
structural conditions on proof hipothesis and on inductive formulas. 

There are also theories of feasible mathematics which are affiliated to linear 
logic. Girard, Scedrov and Scott in [11] have introduced bounded linear logic, in 
which resources are explicitly counted. Then, Girard [8] constructed light linear 
logic which is a second order logic with a new modality which controls safely the 
resources. See also the works of Asperti [1] and Roversi [25]. Lastly, Bellantoni 
and Hofmann [3] and Schwichtenberg [26], have proposed feasible arithmetics 
based on linear logic with extra counting modalities. 

2.5 Strong Normalisation and Confluence 

Detours and conversions are listed in Figures 4 and 5. Suppose that tt is a 
derivation of AT(f), and that tt \> tt' . Then, tt' is a derivation of AT(f). 

Theorem 2. The proof reduction relation [> is confluent and terminating. 

Proof. A derivation tt of AT(f) is also a derivation of Peano arithmetic. From 
the observation above, we conclude AT(f) is confluent and terminating because 
Peano arithmetic enjoys both properties. 

3 Extraction of Polynomial Time Programs 

We follow the program construction methodology behind AF 2 of Leivant [15], 
see also the works of Krivine and Parigot [13,14,23]. An equational program f is 
seen as a specification of the function |f] which is compiled in two steps. First, 
we establish that Tot(f) holds in AT'^(f). Second, we extract a lambda-term 
which computes |f]. 
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Detours 

{A} 




Conversions 




■ 7T0 




• 7Tl 


/3 


B 

I : 

A^B A 

B 


> 


A 

; TTO 

B 




• 7Tl • 7T2 






Ai 


Al A 2 

A/ 

Ai A A 2 
AE 

Ai 


> 


■ 7Ti 
Ai 




■ 7T 






V 


A 

V7 

Vx.A 

VF®, peT{W,X) 

A[x <— p] 


> 


• 7r[a; <— p] 
A[x <— p] 



Sel 



' ’ ^Si ■ 

W(a;)^ A[so(x)] W(®)— >-M[si(a:)] ylfel W(e) > • ^ 

Sel(W) A[e] 

A[e] 



■ TTt 



• TTso ; 

W(a;)— >• A[so(a;)] W(x)— >• A[si(x)] 


W(f) 

• s-I 

A[e] W(si(t)) ■ 


Sel(W) 


A[si(t)] 






• TTsj [X t] 


; TTt 


> 


W{t)^A[Si{t)] 


W(f) 




A[si(f)l 





Fig. 4. Detours and conversions of AT(W) 
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Fig. 5. Detours and conversions for the induction rule of AT(W) 
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3.1 Lambda-Calculus with Recurreuce 

We define A*^ as the lambda-calculus with pairing, selection and recurrence 
operators over words. Terms of A*^ are generated by 





(Constructors) >V 9 c ::= e Sq Si 

(Constants) r ::= biurec | biucase 

(Variables) X 5 x ::= x \ y \ z \ ... 

(Terms) t ::= c r Xx.t t{s) 


Pri 1 Pr2 1 (-, -) 


The reduction rules are 




/3 


{Xx.t)s -A t[x A- s] 




Ai 


pri({ti,t2)) ^ U 


i = 0,1 


Sel 


biucase(Go)(Gj(te)(e) t^ 
biucase(Go)(tsJ(te)(si(u)) -)> Ufu) 




Rec 


biurec(Go)(Gi)(ie)(e) 
biurec(tso)(Gj(te)(si(u)) -)> tsi(biurec(G 


){C){u)){u) 1 = 0,1 



Again, we write t s to say that s is the normal form of t with respect to 
the reduction rules above. 

Defiuitiou 4. A term t -represents a function 4> iff for each G T{W) and 
V G T(W), • • • ,w„) = V ifft{wi) ■ ■ ■ (w„) -4 V. 

3.2 Extracting Lambda- Terms from Proofs 

We define a mapping k which extracts the computational content of a AT deriva- 
tion, by a Curry-Howard correspondance. The definition of k is given in Figure 6. 

Example 2. the program /t(7Tcat) extracted from the derivation TTcat is 

K(7Tcat)[w] = Aa;.biurec(AzAu.So(u))(AzAu.Si(u))(w)(x) 

Henceforth, the program which represents the specification of cat, is 

ArcAx.biurec(AzAw.So(w))(AzAt.Si(u))(w)(a;) 

The program for mul is 

K(7Tmui) = Aa;Ay.biurec(At.Aw.K(7rcat)M(2^))("^-2^-^^-^(’’'cat)M(2^))(^)(j/) 

Remark 2. Each term k(7t) of A^ is a term of Godel system T, slightly modified 
to reason about words. Indeed, we associate to each formula A a type A as 
follows : W = i, A^B = A^ If, A A B = A A B, Mx.A = A. Then, the term 
k(7t) is of type A where A is the conclusion of tt. 

In fact, K is a morphism from AT°(f) derivations to A^. Since k respects 
conversion/reduction rules, the extracted term is correct in the following sense. 

Theorem 3. Assume that tt is a derivation o/ AT(/) o/Tot(/). Then k{tt) 
-represents the function |/]. 

Proof. We refer to Leivant’s demonstration [16] or to Krivine’s book [13]. 
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DerivationTT 



Terms k(7t) 



A 

• 7T 

B 



I 



A^B 

• 7Tl • 7T2 

Al A 2 

Ai A A 2 



A\uff\ 

A[v6] 



R 



t(7r) 






• 7Tl • 7T2 

A^B A k{tti){k{-k2)) 

>E 



B 



■A/ 



(K(7Tl),K(7r2)) A 1 AA 2 -^pr.(K(7r)) 



Ai 



■AE 



Vx.A 



-VI 



c(7r) 



• 7T 

Vx.A 

A\t/x] 



■VE^ 



t(7r) 



W(€ 



■ el 



W(t) 

W(si(t)) 



Si/ 



' Si(K(7r)) 



■ 'TI’si ■ TTe • TTj 



W(i/)->A[so( 2/)] W(y)->A[si(j/)] A[e] W(t) 

AM 



Sel(W) 



bincase(K(7rso ))(K(7rsi))(K(7Te))(K(7rt)) 



Vj/.Afy], W(2/)->A[so(y)] Vj/.A[y], W(i/) -s- A[si(j/)] A[e] 

Ind(W) 

Va;.W(a;)— >• A[a;] 

binrec(K(7Tso ))(«( TTsi ))(K(vre)) 



Fig. 6. Program extraction by Curry-Howard correspondance k 



3.3 Analysis of the Complexity of Extracted Programs 

The size |w| of a term is the number of constructors which makes up w. 

Theorem 4. Let (j) he a provably total function 0 / AT°(W). The function 4> is 
computable in polynomial time with respect to input sizes. 
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Proof. There is an equational program f which computes </>, that is (/) = |f] and 
such that Tot(f) is derivable in AT°(f). In order to avoid needlessly difficulties, 
we shall assume that the derivation of Tot(f ) does not use the rule AE. 

Before proceeding with the demonstration of the theorem, it is helpful to say 
that an occurrence of a predicate W (p) in a derivation tt, is critical if 

(a) Either the occurrence of W(p) is in the negative part of the conclusion of 
an induction rule. 

(b) Or the occurrence W (p) is the minor of a detour of an induction. 

A typical example is written below. Here, W(a;) satisfies (a) and the occurrence 
of W(t), which is the conclusion of tt^, satisfies (b). 



Ind(W) 

Vx.W(x)— >■ AH] 

— —\/E^ 



A[t] 



: 

w(t) 



^E 



Next, say that a predicate W (t) is critical in a derivation tt if one of its occurrence 
in 7T is critical. It is important to notice that if W(t) is critical then, the term t 
is necessary actual. Now, the demonstration of the theorem is a consequence of 
the following claim. 



Claim. Let tt be a normal derivation, without the rule AE, of 



under the premises W (si), . . . , W {sm) and where t is not an actual term. There 
is a polynomial p,r such that for every wi, • • • ,Wm+n G T(W), the computation 
of 



KMi'^m+l) ■ ■ ■ (Wm-Hn)[si ^ Wi , . . . , SjYl ^ 

is performed in time bounded by and constant in N where 

M = max(|wi| : W(si) is critical in tt) 

N = max(|wi| : W(si) is not critical in tt) 

The demonstration goes by induction on the size of the normal derivation 
TT. We shall just consider case where the las rule is an induction rule. The other 
cases are similar or immediate. 

Following Figure 5 the term k{7t) is Aa;.binrec(K(7Tso))(K(7rsi))(K(7re))(a;). 
The computation of K(7r)wm-i-i[si ^ wi, ... ,Sm^ consists in a recursion 
of length |wm_|_i|. Terms n{TTe) and K(7Tsi)i=o,i satisfy the induction hypothesis. 
By claim assumption, t[y] is not an actual terms. So, W(f[p]) is not critical. 
It follows that |Wm_|_i |-long recursion is evaluated in time bounded by jw^-i-il • 
max(P.„.^^ (M), (M)) + + 0(1) and constant in N. 
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4 Polynomial-Time Functions Are Provably Total 



Theorem 5. Each polynomial time computable function </> is provably total in 

AT°. 



Proof. Suppose that the function (j) is computed by a single tape Turing machine 
M within k ■ n* steps, for some constant k where n is the input size. The tape 
alphabet is {0, 1} and the set of states is Q C {0, 1}+. A description of M is a 
triplet {q, u, v) where q is the current state, u is the left hand side of the tape, 
and V the right hand side of the tape. The head scans the first letter of v. Let 
(5 : Q X {0, 1} I— >■ Q X {0, 1} x {l,r} be the transition function of M. The initial 
description is (qo,e,v). The result of the computation is written on the right 
hand side of the tape. 

We construct an equational program f, which simulates the computation of 
M and which is provably total in AT°(W). We begin by defining three programs 
Do, Di and D2, which determine the next description. From the transition function 
( 5 , those programs indicate, respectively, the next state, the word on the left, and 
the word on the right, as follows. 



Do(g,M,S;(u)) -)> q' 
Di(g,Sj(u),Si(u)) -)> u 
Di{q,u,Si{v)) Sk(w) 
D2(g,Sj(u),Si(u)) ^ Sj(Sk(u)) 
D2(g,u,Si(u)) V 



a 6{q,i) = (q',k,*) * G {l,r} 

if S{q,i) = {q',k,l) 
if 5{q,i) = (q',k,r) 
if 6{q,i) = {q',k,l) 
if S{q,i) = (q',k,r) 



In all others cases, the result of is e. Thus, (co,ci,C2) yields, in one step, 
the description (Do(cq, ci, C2), Di(co, ci, C2), D2(cq, ci, C2)). Each is defined by 
cases. The current state and the neighbour letter of the head are determined 
by nested applications of Sel(W)-rules. So, we can build a derivation of 
Ai=o,i,2W(Di(<7, u, v)), under the assumptions W((7), W('u), W(u) and without 
using the induction rule. Consequently, we shall be able to replace the free vari- 
ables q, u et V by any term. 

Next, we define the sequence x, cq, ci, C2))i=o,i,2, by mutual recursion: 

Lo(t,a;, Co,Ci,C2) ^ D*(co,Ci,C2) 

L^+i(e,a;,Co,Ci,C 2 ) 

Lm+i(sj(t),a;,Co,Ci,C2) L^(a;, x, Z\\ Sj = So,Si 

where A* = x, cq, ci, C 2 ), for i = 0, 1, 2. 

The description of M after |t| • \x\^ steps, starting form the description 
(co,ci,C2), is (L^+i(t,a;,co,ci,C2),L^;^(t,a;,co,ci,C2),L|+i(t,x,co,ci,C2)). The 
function <f>, computed by the Turing machine M, is represented by f : 

f(u) L^+i(so'"(e),u,(7o,e,i;) 

It remains to establish that f is provably total in AT°(W). For this, we con- 
struct for every m, a derivation of Vz.W(z)— >-A i=o,i,2W(Lj,^(z,x,co,ci,C2)) 
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under the premises W(a;), W(co), W(ci), W(c2) where cq, ci and C2 are variables 
which can be substituted for any term, unlike x. 
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Abstract. We consider order-generic queries, i.e., queries which com- 
mute with every order- preserving automorphism of a structure’s uni- 
verse. It is well-known that first-order logic has the natural order-generic 
collapse over the rational and the real ordered group for the class of 
dense order constraint databases (also known as finitely representable 
databases) . I.e., on this class of databases over (Q, <) or (R, <), addition 
does not add to the expressive power of first-order logic for defining order- 
generic queries. In the present paper we develop a natural generalization 
of the notion of finitely representable databases, where an arbitrary (i.e. 
possibly infinite) number of regions is allowed. We call these databases 
to -representable, and we prove the natural order-generic collapse over the 
rational and the real ordered group for this larger class of databases. 

Keywords: Logic in Computer Science, Database Theory, Constructive 
Mathematics 



1 Introduction and Main Results 

In relational database theory a database is modelled as a relational structure 
over a fixed, possibly infinite universe U. A fc-ary query is a mapping Q which 
assigns to each database A a /c-ary relation Q{A) C U^. In many applications the 
elements in U only serve as identifiers which are exchangeable. If this is the case, 
one demands that queries commute with every permutation of U. Such queries 
are called generic. If U is linearly ordered, a query may refer to the ordering. In 
this setting it is more appropriate to consider queries which commute with every 
order-preserving (i.e. strictly increasing) mapping of U. Such queries are called 
order-generic. 

A basic way of expressing order-generic queries is by first-order formulas that 
make use of the linear ordering and of the database relations. Database theorists 
distinguish between two different semantics: active semantics, where quantifiers 
only range over database elements, and the (possibly) stronger natural semantics, 
where quantifiers range over all of U. In the present paper we always consider 
natural semantics. 
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It is a reasonable question whether the use of additional, e.g. arithmetical, 
predicates on U allows first-order logic to express more order-generic queries than 
with linear ordering alone. In some situations this question can be answered “yes” 
(e.g. if U is the set of natural numbers with -|- and x as additional predicates, 
cf. [3]). In other situations the question must be answered “no” (e.g. if U is 
the set of natural numbers with -|- alone, cf. [8]) — such results are then called 
collapse results, because first-order logic with the additional predicates collapses 
to first-order logic with linear ordering alone. A recent overview of this area of 
research is given in [3]. 

In classical database theory, attention usually is restricted to finite databases. 
In this setting Benedikt et al. [2] have obtained a strong collapse result: First- 
order logic has the natural order-generic collapse for finite databases over o- 
minimal structures. This means that if the universe U together with the ad- 
ditional predicates, has a certain property called o-minimality, then for every 
order-generic first-order formula (p which uses the additional predicates, there 
is a formula with linear ordering alone which is equivalent to p on all finite 
databases. 

Belegradek et al. [1] have extended this result: Instead of o-minimality they 
consider quasi o-minimality, and instead of finite databases they consider finitely 
representable databases (also known as dense order constraint databases) . Many 
structures interesting to database theory, including (N, <,-|-), (Q, <,-l-), 
(M, <, +), and (R, <, +, x , e^), are indeed o-minimal or at least quasi o-minimal. 
A database is called finitely representable if each of its relations can be explicitly 
defined by a first-order formula which makes use of the linear ordering and of 
finitely many constants in U. For U G {Q,R}, finitely representable databases 
are exactly those databases where every relation is defined by a Boolean com- 
bination of order-constraints over U. I.e., those database relations essentially 
consist of a finite number of multidimensional rectangles in U. 

A reasonable question is whether such collapse results hold for even larger 
classes of databases. In [8] it was shown that over (N, <,-|-) the natural order- 
generic collapse does indeed hold for arbitrary databases. However, this result 
cannot be carried over to dense linear orders: Belegradek et al. have shown (cf. 
[1, Theorem 3.2]) that e.g. over (Q, <, -I-) the natural order-generic collapse does 
not hold for arbitrary databases. This result draws a borderline between finite 
and finitely representable databases on the one side and arbitrary databases on 
the other. In the present paper we extend that borderline. We develop a natural 
generalization of the notion of finitely representable databases. We call these 
databases co -representable, and we obtain the following 

Main Theorem 1. First-order logic has the natural order-generic collapse for 
to -representable databases over (Q, <,+) and (R, <,-|-). □ 

We call a database u> -representable if each of its relations can be explicitly defined 
by a formula in infinitary logic which makes use of the linear ordering and of a 
countable, unbounded sequence of constants si < S 2 < • • • in U. For U G {Q, R}, 
w-representable databases turn out to be exactly those databases where every 
relation is defined by an infinitary Boolean combination of order-constraints 
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over (U, (sn)n^i)- I-e., those database relations essentially consist of a finite or 
a countable number of multidimensional rectangles in U. 

In particular, the theorem above shows that there is a natural class that 
contains “essentially infinite” databases, to which the collapse results of Benedikt 
et al. and Belegradek et al. can be generalized, for the special case of (Q, <, +) 
or (M, <,+) as underlying structures. 

The two main tools for proving Main Theorem 1 are 

(1.) a result of [8] that implies, for U G {Q, K}, the natural order-generic collapse 
over (U, <,-!-) for the class of u-databases (these are the databases whose 
active domain is either finite or consists of an unbounded sequence Si < 
S 2 < ■ ■ ■ of elements in U) , and 

(2.) the following Main Theorem 2, which allows us to lift collapse results for 
co-databases to collapse results for co -representable databases. 

Main Theorem 2. Let (U, <,•••) be an extension of (U, <) with arbitrary 
additional predicates. If first-order logic has the natural order-generic collapse 
over (U, <,•••) for the class of co- databases, then it also has the natural order- 
generic collapse over (U, <,•••) for the class of co -representable databases. □ 

Structure of the Paper. In section 2 we provide the notation used throughout 
the paper. In section 3 we give an outline of the proof and we point out analogies 
and differences compared with related papers which use a similar proof method. 
In section 4 we explain the collapse result of [8] which gives us the collapse for 
w-databases. In section 5 we examine infinitary logic and give a characteriza- 
tion of w-representable relations. In section 6 we explain how an w-representable 
database can be represented by a w-database. In section 7 we show that there 
are first-order interpretations that map an w-representable database to an co- 
database, and vice versa. In section 8 we prove the two main theorems. In sec- 
tion 9 we conclude the paper by pointing out further questions and a potential 
application. 

2 Preliminaries 

We use Q for the set of rationals, R for the set of reals, and co for the set of 
non-negative integers. For r, s G R we write int [r, s] to denote the closed interval 
{x G M : r ^ X ^ s}. Analogously, we write int[r,s) for the halfopen interval 
int [r, s] \ {s}, and int (r, s) for the open interval int [r, s] \ {r, s}. 

Depending on the particular context, we use x as abbreviation for a sequence 
xi, . . ,Xm or a tuple (xi, . . ,Xm). Accordingly, if g is a mapping defined on all 
elements in x, we write g(x) to denote the sequence q{xi ), . . , q{xm) or the tuple 
(q{xi ), . . , q{xra)). If R is an m-ary relation on the domain of q, we write q{R) 
to denote the relation {q{x) : x G R}. Instead of x G i? we often write i?(x). 
For two disjoint sets A and B we write A l±l B to denote the disjoint union of A 
and B. 
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First-Order Logic FO(r). A signature r consists of finitely many relation 
and constant symbols. Each relation symbol R G t has a fixed arity ar{R) G oj. 
Whenever we refer to some “c G r”, we implicitly assume that c is a constant 
symbol in r. Analogously, “R G r” always means that i? is a relation symbol 
in T. We use X\,X 2 -,-- as variable symbols. Atomic r-formulas are yi=y 2 and 
R{yi, ■ ■ , y-m), where i? G t is of arity, say, m and j/i, . . , j/m are constant symbols 
in T or variable symbols. FO{t) - formulas are built up as usual from the atomic 
r-formulas and the logical connectives A, V, the variable symbols Xi,X 2 ,--, 
the existential quantifier 3, and the universal quantifier V. We write qd(<p) to 
denote the quantifier depth of a formula </?, i.e., the maximum number of nested 
quantifiers that occurs in ip. We sometimes write (fi{xi, . . ,Xk) to indicate that 
xi,. . ,Xk are the free variables of p, i.e., those variables that are not bound by 
a quantifier. We say that is a sentence if it has no free variables. If we insert 
additional constant or relation symbols, e.g. < and -I-, into a signature r, then 
we simply write FO(r, <, -h) instead of FO(r U {<, -I-}). 

Structures. Let r be a signature. A r-structure A = (U, r-^) consists of an 
arbitrary set U which is called the universe of A, and a set that contains 

— an interpretation R-^ C for each R G t, and 

— an interpretation G U, for each c G t. 

The active domain of A is the set of all constants of A, together with the set of 
all elements in U that belong to one of A’s relations. 

Sometimes we explicitly want to specify the universe U of a r-structure A. 
In these cases we say that A is a (U, r)-structure. In the present paper, we only 
consider structures with universe U G {M, Q}. 

For a FO(r)-sentence ip we say that A models p and write A\= p to indi- 
cate that p is satisfied when interpreting each symbol in r by its interpretation 
in T-^. We write A p to indicate that A does not model p. For a FO(r)- 
formula p(xi, . . , Xk) and for elements ai, . . ,at in the universe of A we write 
A 1= p(ai, . . , Ofc) to indicate that the (r U {xi, . . , Xfc})-structure (A, Oi, . . , a^) 
models the FO{t U {x\, . . , Xfc})-sentence p. 

Since it is more convenient for our proof, we will talk about structures instead 
of databases. A structure can be viewed as a database whose database schema 
may contain not only relation symbols but also constant symbols. This allows 
us to restrict ourselves to boolean queries (which are formulated by sentences) 
instead of considering the general case of fc-ary queries for arbitrary k (which 
are formulated by formulas with k free variables). 

Order- Generic Collapse. Let U G {M, Q}. A mapping a : U — >■ U is called an 
order- automorphism of U if it is bijective and strictly increasing. For a (U, r)- 
structure A we write a{A) to denote the (a(U), r)-structure with RA^) = a{R-^) 
for all i? G T and _ q.(^(A) for all c G r. 

Let (U, <,•••) be an extension of (U, <) with arbitrary additional predi- 
cates. A FO{t, <, • • • )-sentence p is called order-generic on A iff for every order- 
automorphism a of U it is true that “(A, <,•••) |= iff {a{A), <,•••) |= p" ■ 
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Let C be a class of structures. We say ^^first-order logic has the natural order- 
generic collapse over (U, <,•••) on structures in C” to express that the following 
is valid for every signature r: Let (p he & FO(t, <, ■ ■ ■ )-sentence, and let /C be 
the class of all (U, r)-structures in C on which ip is order-generic. There exists 
a FO(t, <)-sentence which is equivalent to p on /C, i.e., <,•••) |= iff 

{A, <) \= V’” is true for all Ag 1C. 

Inflnitary Logic Laoui{<, S). Infinitary logic is defined in the same way as 
first-order logic, except that arbitrary (i.e. possibly infinite) disjunctions and 
conjunctions are allowed. Only in the context of infinitary logic we allow a sig- 
nature to contain infinitely many symbols. What we need in the present paper 
is the following: Let S' be a possibly infinite set of constant symbols. The logic 
Loouj{<, S) is given by the following clauses: It contains all atomic formulas x=y 
and x<y, where x and y are variable symbols or elements in S. If it contains p, 
then it contains also -<p. If it contains p and if x is a variable symbol, then it con- 
tains also 3xp and 'ixp. If is a (possibly infinite) set of Lqow(<, «5')-formulas, 
then V <P and /\ <1> are formulas in Loow(<, S). 

The semantics is a direct extension of the semantics of first-order logic, where 
V ^ is true if there is some p G <P which is true; and /\ ^ is true if every p G ^ 
is true. 

In the present paper we use infinitary logic only for the universe U = ffi. or U = 
Q, where the constant symbols are interpreted by numbers in U. Consequently, 
we identify the set S of constant symbols with a set S' C U. 

Sets of Type at Most a;, w-Structures, and o;-Representable Struc- 
tures. Let U G {R, Q}. We say that S C U is 0 / type lo if (U, <,S) is iso- 
morphic to (U, <,w). One can easily see that S is of type w if and only if 
S = {si < S 2 <•••}, where the sequence (s„)„^i is strictly increasing and un- 
bounded. Accordingly, we say that S is of type at most w if S is finite or of type 

UJ. 

We say that a (U, r)-structure A is an uj -structure if the active domain of A 
is of type at most w. 

A relation R C U™ is called uj - representable if there is a set S C U of type at 
most UJ such that R is definable in Laofi<, S), i.e. there is a Laouj{<, 5')-formula 
Pr{x\, . . , Xm) with R = {a G U™ : U \= pR{a)}. Accordingly, a (U, r)-structure 
A is called w-representable if each of A’s relations is w-representable. 

For better readability, we formulate the rest of the paper only for the case 
U = R. However, all statements remain correct if one replaces R by Q. 



3 Outline of the Proof — The Lifting Method 

It is by now quite a common method in database theory to lift results from one 
class of databases to another. This lifting method can be described as follows: 



Kuowu: A result for a class of “easy” databases. 
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Wanted: The analogous result for a class of “complicated” databases. 

Method: 

(1.) Show that all the relevant information about a “complicated” 
database can be represented by an “easy” database. 

(2.) Show that the translation from the “complicated” to the “easy” 
database (and vice versa) can be performed in an appropriate way 
(e.g. via an efficient algorithm or via FO-formulas) . 

(3.) Use this to translate the known result for the “easy” databases 
into the desired result for the “complicated” databases. 

In the literature the “easy” database which represents a “complicated” database 
is usually called the invariant of the “complicated” database. Table 1 gives a 
listing of recent papers in which the lifting method has been used. 



Table 1. Some papers using the lifting method. 





“compl.” dbs 


“easy” dbs 


result (“easy” dbs) 


result (“compl.” dbs) 


[9] 


planar spatial 
dbs 


finite dbs 


evaluation of 

fixpoint-bcounting 

queries 


evaluation of top. 
FO(R, <)-queries 


[7] 


region dbs 


finite dbs 


order-generic collapse 
over (R, <, -b, x) 

(cf. [21) 


collapse from top. 

FO(R, <, -b, x)-queries 
to top. FO(R, <)-queries 


[5] 


finitely rep. dbs 


finite dbs 


logical characteriza- 
tion of complexity 
cla.sses 


complexity of 
query evaluation 


[1] 


finitely rep. dbs 


finite dbs 


order-generic collapse 
over quasi o-minimal 
structures 


order-generic collapse 
over quasi o-minimal 
structures 


[here] 


cu-rep. dbs 


oj-dbs 


order-generic collapse 
over (R, <, -b) 


order-generic collapse 
over (R, <, -b) 



In particular, Belegradek, Stolboushkin, and Taitslin [1] and Gradel and 
Kreutzer [5] show that all the relevant information about a finitely representable 
database (i.e. a database defined by a finite Boolean combination of order- 
constraints) can be represented by a finite database, and that the translation 
from finitely representable to finite (and vice versa, in [1]) can be done by a 
first-order interpretation. 

Gradel and Kreutzer use this translation to carry over logical characteriza- 
tions of complexity classes to results on the data complexity of query evaluation. 
They lift, e.g., the well-known logical characterization “PTIME = FO-I-LFP on 
ordered finite structures” to the result stating that the polynomial time com- 
putable queries against finitely representable databases are exactly the FO-fLFP- 
definable queries. 

Belegradek, Stolboushkin, and Taitslin use their FO-translations from finitely 
representable databases to finite databases (and vice versa) to lift collapse results 
for finite databases to collapse results for finitely representable databases. 
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In the present paper the same is done for w-representable databases and 
w-databases (instead of finitely representable databases and finite databases, 
respectively). I.e.: 

(1.) We show how all the relevant information about an w-representable database 
can be represented by an w-database (cf. sections 5 and 6). 

The representation here is considerably different from the representations of 

[1] and [5]. It is, as the author feels, more natural for the context considered 
in the present paper. 

(2.) We show that the translation from the w-representable to the w-database 
(and vice versa) can be done by a first-order interpretation (cf. section 7). 
(3.) We use this translation to carry over a collapse result for w-databases from 
[8] to a collapse result for w-representable databases (cf. section 8) . 

4 The Collapse Result for cj-Structures 

In [8] a structure A is called nicely representable if it satisfies the following 
conditions: 

(1) There is an infinite sequence (In)necj of intervals = int [In, r„], such that 
In ^ i"n < ln+ 1 , and the sequence (r„)„g(j is unbounded, 

(2) In is the active domain of A, 

(3) every relation of A is constant on the multi-dimensional rectangles 

Ini X ••• X ni, . . ,nar(R) G A). I.e., either all elements in 

Ini X • • • X In„(R) belong to R-^, or no element in x • • • x In„^R~, belongs 
to R-^. 



Theorem 1 ([8], Theorem 4). First-order logic has the natural order-generic 
collapse over (K.^ 0 )<)+) for nicely representable structures. □ 

Let us mention that the class of w-representable structures (considered in the 
present paper) properly contains both, the class of finitely representable and the 
class of nicely representable structures, whereas the class of nicely representable 
structures does not contain the class of finitely representable structures. 

The proof of Theorem 1 presented in [8] even shows the slightly stronger 
result which states that first-order logic has the natural order-generic collapse 
over (K, <, -I-) for structures that satisfy the conditions (1), (2’), and (3), where 
the condition (2’) says that there is a set C w such that l+)„g 7 v active 

domain of A. In particular w-structures, i.e. structures whose active domain is 
of type at most w, do satisfy the conditions (1), (2’), and (3). This gives us the 
following 



Corollary 1. First-order logic has the natural order-generic collapse over 
(M, <, -I-) for u- structures. □ 
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5 Infinitary Logic and cj-Representable Relations 

It is well-known that FO{<,S) allows quantifier elimination over K., for every 
set of constants S' C R. In this section we show that also ioow(<,S) allows 
quantifier elimination over R., provided that S is of type at most oj. Recall from 
section 2 that S C R is of type ut if and only if S = {si < S2 < • • •}> where the 
sequence is strictly increasing and unbounded. Accordingly, S is of type 

at most O' if S is finite or of type u). 

However, our aim is not only to show that Laobj{<i S) allows quantifier elim- 
ination, but to give an explicit characterization of the quantifier free formulas. 
This characterization will give us full understanding of what w-representable 
relations look like. 

Before giving the formalization of the quantifier elemination let us fix some 
notation. For the rest of this paper let S C M always be of type at most u. 
We write S{i) to denote the t-th smallest element in S. For infinite S we define 
S'(O) := — oo and N{S) := u, and we obtain R = l+Jjgjv(S) ‘i'nt[S{i),S{i+l)). 

For finite S we define S'(O) := — oo, N{S) := {0, ..,|5'|}, and S'(|5'|-|-l) := 
-hoo; and, as before, we obtain R = l+)jgjv(S) [<S'(f), 5'(i+l)). 

For m ^ 1 and i = (ti, . . , im) G N{S)"^ we define S{i) := (S'(ii), . . , S(im)), 
and 



Cubes-T := znt [S'(ii), S'(ii-l-l)) x ••• x int[S{im), S{im+^)) ■ 

We say that S{i) are the coordinates of the cube Cubes-x- Obviously, 

R™ = y Cubesx- 

rGW(S)™ 

Let a = (tti, . . , am) G R™- The type types-sx ® with respect to Cubesx is the 
conjunction of all atoms in {yi=Xi, yt<Xi, Xi=Xj, Xi<Xj : i,j€ {1. . ,m}, i yf 
j} which are satisfied if one interprets the variables xi, . . , Xm, yi, ■ ■ ,ym by the 
numbers ai, . . , a^, 5'(ii), . . , 

We define typeSm to be the set of all complete conjunctions of atoms in 
{yi=Xi, yi<Xi, Xi=Xj, Xi<Xj : i,j G {l..,m}, i yf j}, i.e., the set of all 
conjuctions t where, for all i,j G {1, . . ,m} with i yf j, either yi=Xi or yi<xi 
occurs in t, and either Xi=xj or Xi<Xj or Xj<Xi occurs in t. Of course, typeSm 
is finite, and types- sx ^ Analogously, we define TypeSm to be the set 

of all subsets of typeSm, i.e., TypeSm = {T : T C typeSm}- Of course, TypeSm 
is finite. 

For a relation R C R™ we define Typen-sx ■= {typSa-,sx ■ a £ R(1 Cubes-x} 
to be the set of all types occurring in the restriction of R to Cubes-x- We say 
that Typcfi-^s-x i'he type of Cubes-x course, Typen-^s-x ^ TyP^Sm- 

In the formalization of the quantifier elimination we further use the following 
notation: If is a Lqo;,j(<, •S'j-formula with free variables x := xi,.-,Xk and 
j7 := j/i , . . , ym, we write ip{y/ S{i)) to denote the formula one obtains by replacing 
the variables yi-, ■ ■ ,ym by the real numbers S{ii ), . . , S{im)- 
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Proposition 1 (Quantifier Elimination). Let S C M. be of type at most oj 
and let m ^ 1. Every formula <p{xi, . . , Xm) in Looui{<, S) is equivalent over M 
to the formula 

m 

(p{x) := y y (t{y/S{i)) A f\ S{ij) ^ Xj < ^(zi+l)) 

T€N(S)’^ teTypeji.s;t j = l 

where R C R™ is the relation defined by ip{x). 

I.e., R = {a G M"" : M h via)} = {a G K™ : M h <^(a)}- □ 

The proof is similar to the quantifier elimination for FO{<,S) over R. Due to 
space limitations it is omitted here. 

Recall from section 2 that a relation R C R"* is called w-representable iff there 
is a set S' C R of type at most oj such that R is definable in Looui{<, S). From 
Proposition 1 we know what R looks like: It is defined by an infinitary boolean 
combination of order-constraints over S, and it essentially consists of a finite or 
a countable number of multidimensional rectangles. (Note, however, that also 
certain triangles are allowed, e.g. via the constraint S{i) ^ xi < X 2 < S(i-l-l)). 
An w-representable binary relation is illustrated in Figure 1. 




Fig. 1. An ij-rep. binary relation R. The grey regions are those that belong to R. 



6 cj-Representations of Relations and Structnres 

Definition 1. Let R C R™. A set S C R zs called sufficient for defining R if S 
is of type at most to and R is definable in Toooj(<) S). □ 

Remark 1. We say that a relation R C R™ is constant on a set M C R™ if either 
all elements of M belong to R or no element of M belongs to R. 

From Proposition 1 we obtain that a set S' C R of type at most co is sufficient 
for defining R if and only if R is constant on the sets 

Cubes-t-t := {b & Cubes-r ■ iyV%s-,T= ^ 



for all z*G N{S)'^ and all t G typeSm. 



□ 
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Let R C K.™ be w-representable and let S' C K. be sufficient for defining R. 
From Remark 1 we know, for all i G N{S)'^ and all t G typeSm, that either 
R n Cubes -, = 0 or i? D Cubes-, r-,t- This means that if we know, for each i € 
N{S)™ and each t G typeSm, whether or not R contains an element of Cubes-, r-,u 
then we can reconstruct the entire relation R. 

For ij ^ 0 we represent the interval int[S{ij), S{ij+1)) C K. by the number 
S{ij). Consequently, for i G (-/V(S) \ {0})™, we can represent Cubes-r-t Q R™ 
by the tuple S{i) G S™. The information whether or not R contains an element 
of Cubes-, T-,t can be represented by the relation Rs-t ■= {S(f) : i G (N{S) \ 
{O})™ and R fl Cubes-,T,t ^ 01- 

In general, we would like to represent every Cubes-,r-,t, for every i G N(S)"^, 
by a tuple in S™. Unfortunately, the case where ij = 0 must be treated sepa- 
rately, because S(0) = — oo ^ S. There are various possibilities for solving this 
technical problem. Here we propose the following solution: Use S(l) to represent 
the interval int[S{0),S{l)). With every tuple i G fV(S)'" we associate a char- 
acteristic tuple char{i) := (ci, . . ,Cm) G {0, 1}™ and a tuple i' G {N{S) \ {0})’” 
via Cj := 0 and i' := 1 if ij = 0, and Cj := 1 and i' := ij if ij yf 0. Now 
Cubes-,r-,t can be represented by the tuple S{t') G S'™. The information whether 
or not R contains an element of Cubes-,i-,t can be represented by the relations 
Rs-,t-,u '-= {S(i') : i G N(S)'^, char(i) = u, and R fl Cubes,t,t ^ 0} (for all 
u G {0, 1}™). This leads to 

Definition 2 ((^-Representation of a Relation). 

Let R C K.™ be to -representable, and let S CM. be sufficient for defining R. 

(a) We represent the m-ary relation R over M by a finite number of m-ary 
relations over S as follows: The eo -representation of R with respect to S is 
the collection 

reps{R) -— ( ) 

where Rs-,t-,u ■= {S(i') : iG N{S)'^, char{i) = u, and RC\ Cubes-,T-,t ^ 0}- 
Here, foriG N{S)"^ we define i' and char{i) via ij := 1 and (^char{i)) . := 0 
if ij = 0, and ij := ij and [char{i)) . := 1 if ij yf 0. 

(b) For X G Cubes-,T-,t we say that u := char{i) is the characteristic tuple of x 

w.r.t. S, y := S{i') is the representative of x w.r.t. S, and t is the type of 
X w.r.t. S. From Remark 1 we obtain that x G R iffy G Rs-,t-,u- D 

We will now tranfer the notion of “w-representation” from relations to r-structures. 

Recall from section 2 that a (M, r)-structure A is called w-representable iff 
each of .4’s relations is w-representable. 

Definition 3. Let A be a (M,t) - structure. A set S C K. zs called sufficient for 
defining A if 

~ S is of type at most to, 

— G S, for every constant symbol cG t, and 
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~ S is sufficient for defining , for every relation symbol R G t. □ 

Let ^ be a (R, r)-structure, and let S' be a set sufficient for defining A. According 
to Definition 2, each of A’s relations R-^ of arity, say, m can be represented by 
a finite collection reps{R-^) = relations over S. I.e. 

A can be represented by a structure reps{A) with active domain S as follows: 

Definition 4 (^-Representation of a Structure). Let t be a signature. 

(a) The type extension r' of t is the signature which consists of 

— the same constant symbols as t, 

— a unary relation symbol S, and 

— a relation symbol Rf^s of arity, say, m, for every relation symbol R € t 
of arity m, every t € typeSm, and every u € {0, 1}™. 

(b) Let A be an uj -representable structure and let S be a set sufficient for 

defining A. We represent A by the -structure reps{A) which satisfies 

— c'^^PsA) = (A g g 

— = S (for the unary relation symbol S G t' ), and 

— = R's t u R G T, each t G types ar(R), and each u G 

7 FO-Interpretations 

The concept of first-order interpretations (or, reductions) is well-known in math- 
ematical logic (cf., e.g. [4]). In the present paper we consider the following easy 
version: 

Definition 5 (FO-Interpretation of cr in r). Let a and r be signatures. A 
FO-interpretation of cr in r zs a collection 

of FO{t)- formulas. For every If], t)- structure A, the If], a) -structure ‘T{A) is 
given via 

- = {a G U : A ^ (pc{a)}, for each constant symbol c G a, 

— = {a g njaKfi) : ^ ^ (pR{a)}, for each relation symbol R G a. □ 

Making use of a FO-interpretation of a in r, one can translate FO(cr)-formulas 
into FO(T)-formulas (cf., [4, Exercise 11.2.4]): 

Lemma 1. Let a and r be signatures, let <P be a FO-interpretation of a in t, 
and let d be the maximum quantifier depth of the formulas in <L. 

For every FO{a) -sentence x there is a FO{t) - sentence with qd{x') ^ 
qd{x)+d, such that ‘A ^ x' ^(“4) \= x” is true for every (1 ],t) - structure 

A. □ 



Proof, x' is obtained from x by replacing every atomic formula R{x) (resp. x=c) 
by the formula (Pr{x) (resp. ipc{x)). ■ 
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The following lemma shows that A is first-order definable in reps (A), be.: all 
relevant information about A can be reconstructed from reps (A) (if A is oj- 
representable and if S is sufficient for defining A). 

Lemma 2. There is a FO-interpretation <F ofr in r'U{<} such that T>{{reps{A), 
<)) = A, for every co -representable -structure A and every set S which is 

sufficient for defining A. □ 

Proof (sketch). For every constant symbol c € t we define ipc{x) := x=c. 

For every relation symbol R G t oi arity, say, m we construct a formula ifR^x) 
which expresses that x G R. From Definition 2(b) we know that x G R iS y G 
Rs-,t\u, where y, t, and u are the representative, the type, and the characteristic 
tuple, respectively, of x w.r.t. S. 

It is straightforward to construct, for fixed t G typeSm and u G {0, 1}™, a 
FO(t', <)-formula ift.aix) which expresses that 

— X has type t w.r.t. S, 

— u is the characteristic tuple of x w.r.t. S, and 

— for the representative y of x w.r.t. S it holds that Rf^a{y). 

The disjunction of the formulas iff,u{x), for all t G types^ and all u G {0, 1}™, 
gives us the desired formula (Pr{x) which expresses that x G R. ■ 

We now want to show the converse of Lemma 2, i.e., we want to show 
that the w-representation of A is first-order definable in A. Up to now the 
w-representation reps (A) was parameterized by a set S which is sufficient for 
defining A. For the current step we need the existence of a canonical, first-order 
definable set S. For this canonization we can use the following result of Gradel 
and Kreutzer [5, Lemma 8]: 

Lemma 3 (Canonical set sufficient for defining R). Let R C R™ be co- 

representable and let Sr be the set of all elements s G M which satisfy the fol- 
lowing condition (*): 

There are ai, . . , am, £ G R, £ > 0, such that one of the following holds: 

— For all s' G int(s—s,s) and for no s' G int{s, s-\-s) we have R(^a[s / s']) . 

Here a[s/s'] means that all components Oj=s are replaced by s'. 

— For no s' G int{s—e,s) and for all s' G int(s, s-hs) we have R(a[s/s']) . 

— i?(a[s/s']) holds for all s' G int{s—e, s-|-£) \ {s}, but not for s' = s. 

— i?(a[s/s']) holds for s' = s, but not for any s' G int{s—e, s-|-£) \ {s}. 

The following holds true: 

(1.) Sr is included in every set S' C R which is sufficient for defining R. 

(2.) Sr is sufficient for defining R. 

The set Sr is called the canonical set sufficient for defining R. It is straight- 
forward to formulate a FO{R,<) -formula Cr(x) which expresses condition (*), 
such that Sr = {s G R : (R, i?, <) |= Ck(s)} fox every uj -representable m-ary 
relation R. □ 
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Definition 6 (Canonical Representation of a Structure). Let t he a sig- 
nature and let A he an to -representable {IK, t) -structure. The set 

Sa ■■= {c^ ■■ cGt} U y SiiA 

RGt 

is called the canonical set sufficient for defining A. Similarly, the representation 
canrep{A) := reps^{A) is called the canonical representation of A. □ 

Remark 2. It is straightforward to see that a(^canrep{A)^ = canrep{a{A)) is 
true for every w-representable (M, T)-structure A and every order-automorphism 
Of of K.. □ 

We are now ready to prove the converse of Lemma 2. 

Lemma 4. There is a FO-interpretation <L' of t' in tU {<} such that 'L'HA, 
<)) = canrep{A), for every to -representable {IK, t) -structure A. □ 

Proof (sketch). For every constant symbol c € t' we define (pc{x) := x=c. 

For every relation symbol R G t let Cr(x) be the formula from Lemma 3 
describing the canonical set sufficient for defining R-^. Obviously, the formula 
(fis(x) := Vcer^=c V V_ReTCfl(a^) describes the canonical set sufficient for 
defining A. 

For every relation symbol Rt;u G x' of arity, say, m we construct a formula 
TRf.uiy) which expresses that y G Rt-u- We make use of Definition 2(b). I.e., 
states that yi, . . ,ym satisfy {ps and that there is some x such that 

— y Is the representative of x w.r.t. Sa, 

— R{x), 

— X has type t w.r.t. Sa, and 

— M is the characteristic tuple of x w.r.t. Sa- 

It is straightforward to formalize this in first-order logic. I 

8 The Main Theorems and Their Proofs 

We first show the 

Main Theorem 2. Let (R, <,•••) be an extension of (R, <) with arbitrary 
additional predicates. If first-order logic has the natural order-generic collapse 
over (R, <,•••) for the class of lo - structures, then it has the natural order-generic 
collapse over (R, <,•••) for the class of to -representable structures. □ 

Proof. Let r be a signature, let be a FO(r, <, • • • )-sentence, and let /C be 
the class of all w-representable (R, r)-structures on which ip is order-generic. We 
need to find a FO(t, <)-sentence ip such that “(.4, <,•••) |= iff (.4, <) \= tf" 
is valid for Al A G K.. 

Let t' be the type extension of t. We first make use of Lemma 2: Let 
be the FO-interpretation of r in r' U {<} which is obtained in Lemma 2. In 
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particular, we have <P{{canrep{A), <)) = A, for all A G JC. From Lemma 1 
we obtain a FO{t' , <, • • • )-sentence (p' such that “{canrep{A) , <,•••) \= p' iff 
{<!> {{canrep{ A), <)),<,■■■) \= (p iff {A, <,■■■) \= p'' is true for all ^ G /C. 

From our assumption we know that first-order logic has the natural order- 
generic collapse over (R, <,•••) for the class of w-structures. Of course canrep{A) 
is an w-structure. Furthermore, with Remark 2 we obtain that p' is order-generic 
on canrep{A) for dA A G K.. 

Hence there must be a FO(t', <) -sentence tp' such that “{canrep{A), 
<,■■■) \= p' iff {canrep{A), <) ^ f/'^” is true for all Ag K. 

We now make use of Lemma 4: Let <P' be the FO-interpretation of t' in rU{<} 
which is obtained in Lemma 4. In particular, we have (P'{{A, <)) = canrep(A), for 
all A G K.. According to Lemma 1, we can transform xp' into a FO{t, <)-sentence 
such that “(A, <) \= xp iS {<P' {{A, <)) , <) \= xp' iff {canrep{A) , <) \= xp'^^ 
is true for all A G 1C. Obviously, xp is the desired sentence, and hence our proof 
is complete. ■ 

Main Theorem 2 and Corollary 1 directly give us the following 

Main Theorem 1. First-order logic has the natural order-generic collapse over 
(R, <,-!-) for the class of to -representable structures. □ 



9 Conclusion 

We have developed the notion of w-representable databases, which is a natural 
generalization of the notion of finitely representable (i.e. dense order constraint) 
databases. We have shown that any collapse result for w-databases can be lifted 
to the analogous collapse result for w-representable databases. In particular, this 
implies that first-order logic has the natural order-generic collapse over (R, <, -k) 
and (Q, <,+) for w-representable databases. 

Recursive Databases. In theoretical computer science one is often interested 
in things that can be represented in the finite. This is not a priori true for 
w-representable databases. sHowever, there is a line of research considering re- 
cursive structures (cf. [6]). In this setting a database is called recursive if there 
is, for each of its relations, an algorithm which effectively decides whether or not 
an input tuple belongs to that relation. The results of the present paper are, in 
particular, true for the class of u) -representable recursive databases, which still is 
a rather natural extension of the class of finitely representable (i.e. dense order 
constraint) databases. 

Open Questions. It is an obvious question if the collapse results discussed in 
the present paper also hold for Z-databases (i.e. databases whose active domain 
is of type at most Z) and for Z-representable databases. It should be straight- 
forward to transform the proof of Main Theorem 2 in such a way that it is valid 
for these databases. However, we do not know if the corresponding analogue to 
Corollary 1 is valid. 
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Another question is whether such a collapse result for to -representable 
databases is valid also over structures other than (M, <, +) and (Q, <, +). E.g.: 
Is it valid over (R, <,+, x), or even over all (quasi) o-minimal structures? (This 
would then fully generalize the results of Belegradek et al. [1].) 

We also want to mention a potential application concerning topological 
queries: Kuijpers and Van den Bussche [7] used the theorem of Benedikt et 
al. [2] to obtain a collapse result for topological first-order definable queries. One 
step of their proof was to encode spatial databases (of a certain kind) by finite 
databases, to which the result of [2] can be applied. Here the question arises 
whether there is an interesting class of spatial databases that can be encoded 
by w-representable (but not by finite) databases in such a way that our main 
theorem helps to obtain some collapse result for topological queries. 
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Abstract. Higraphs, which are structures extending graphs by permit- 
ting a hierarchy of nodes, underlie a number of diagrammatic formalisms 
popular in computing. We provide an algebraic account of higraphs (and 
of a mild extension), with our main focus being on the mathematical 
structures underlying common operations, such as those required for un- 
derstanding the semantics of higraphs and Statecharts, and for imple- 
menting sound software tools which support them. 



1 Introduction 

Recent years have witnessed a rapid, ongoing popularisation of diagrammatic 
notations in the specification, modelling and programming of computing sys- 
tems. Most notable among them are Statecharts [3], a notation for modelling 
reactive systems, and the Unified Modelling Language (UML) [10], a family of 
diagrammatic notations for object-based modelling. As the popularity of dia- 
grammatic languages in computing and software engineering increases, so does 
the need of supporting best practice in terms of a sound theory accounting for 
the multitude of syntactic, semantic and pragmatic issues involved. 

A major difficulty in achieving this goal becomes evident when one begins to 
appreciate the intricate structural complexities of the diagrams typically found 
in practice, which consist of a multitude of largely heterogeneous and interacting 
features, the combinations and interactions among them often being ad hoc and 
poorly understood. Our approach to dealing with this problem is to investigate 
how diagrams may be decomposed into elementary, underlying structures and 
features, the properties and interpretations of which we study in mathematical 
and cognitive terms, and to formulate principles and techniques for sensibly 
combining them in the design of improved diagrammatic notations. Thus our 
approach is to first uncover underlying, fundamental structure, which serves for 
diagrams a role akin in spirit to the role played by various A-calculi in the study 
of conventional programming languages. 
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grant, and the COE budget of STA Japan. 
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This paper presents a step in this direction by developing a category-theoretic 
framework for higraphs [4,5]. The latter are an extension of graphs which underlie 
a number of sophisticated diagrammatic formalisms including, most prominently, 
Statecharts, the state diagrams of UML, and the domain-specific language Argos 
[8] for programming reactive systems. The feature of higraphs we consider as 
definitive is that of depth, the containment of nodes inside other nodes. This 
feature is systematically exploited in applications to produce concise, economical 
representations of complex state-transition systems, such as those underlying 
realistic reactive systems. 

The first operation we study is an essential device in understanding the con- 
currency features of Statecharts. Another operation we develop accounts in a 
natural way for the connection between higraphs and the state-transition struc- 
tures they represent. 

Even diagrams which are designed with economy and compactness in mind 
may still grow impractically large, or simply become too detailed to be effective. 
One therefore still needs effective mechanisms, and tools to support them, for 
re-organising, abstracting and filtering the information present in diagrams [9]. 

The leading example studied here is a filtering operation on higraphs, in- 
troduced briefly and motivated by Harel in [4] under the name of zooming out. 
Further, we generalise Harel’s operation to include other cases of practical inter- 
est and show its precise correspondence to a pushout construction in a suitable 
category of higraphs. 

A promising approach to understanding the meaning of certain modelling 
diagrams (but not presently higraphs) in terms of sketches [1] has been the 
product of recent work by Diskin et al. [2]. Our emphasis here is instead on 
accounting for the algebraic structure of higraphs (and, in future, of other kinds 
of diagrams in computing) as a basis for making precise the semantic import 
of common syntactic operations on them. The rationale is that, in practice, 
diagrams are first-class objects which are constantly manipulated and altered in 
the course of design and reasoning about computing systems. 

Many of the mathematical structures developed here seem to generalise 
smoothly to graph-based constructions other than higraphs. In [11] we explore 
such relevant, deeper category-theoretic structures, which include internal cat- 
egories, symmetric monoidal adjunctions, and the so-called “other” symmetric 
monoidal closed structure on Cat (the category of all small categories and func- 
tors). As such, [11] is only accessible to an audience of category theory experts, 
aiming at detailed mathematical investigation and relying only on few moti- 
vating examples and terse explanation to support the abstract development. 
Our objective here is instead to present and study lucidly the concrete case of 
higraphs; and to do so in a way accessible to a wide audience of computer scien- 
tists, who have immediate scientific and practical interest in higraphs and their 
applications in UML and Statecharts, but only minimal knowledge of categories 
and functors. 

Section 2 introduces higraphs and their applications in computing, followed 
by the development in Section 3 of a category of higraphs. The latter is endowed 
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with a symmetric monoidal closed structure in Section 4 which underpins the 
concurrency feature of Statecharts. An exposition of Harel’s zoom-out operation 
and its generalisation is the subject of Section 5. A completion operation under- 
lying the state-transition interpretation of higraphs is developed and studied in 
Section 6. Finally, Section 7 accommodates into our framework a mild extension 
of higraphs. 



2 Higraphs 

Higraphs, originally developed by Harel [4] as a foundation for Statecharts [3], 
are diagrammatic (“visual”) objects which extend graphs by permitting spatial 
containment among the nodes. Figure 1 illustrates the pictorial representation 




Fig. 1. A simple higraph. 



of a simple higraph consisting of six nodes and four edges, with the nodes la- 
belled B, C and D being spatially contained within the node labelled A. It is 
therefore common, and we shall hereafter adhere to convention, to call the nodes 
of a higraph blobs, as an indication of their pictorial representation by convex 
contours on the plane. A blob is called atomic if no other blobs are contained 
in it. The feature of spatial containment is often referred to as depth, leading 
to an expression of the relationship of higraphs to graphs in terms of Harel’s 
“equation”: higraphs = graphs -I- depth^. 

The main application of higraphs has been in the specification and visualisa- 
tion of complex state-transition systems, manifested mainly in Statecharts and, 
more recently, in the state diagrams of UML. In such applications, depth is used 
both as a conceptual device, in decomposing the overall system into meaningful 
subsystems, and as an economical and effective representation of interrupts. In 
terms of our example higraph in Figure 1, the edge emanating from blob A may 

^ Higraph is a term coined-up by Harel [4] as short for hierarchical graph, but often used 
quite liberally to include several variants. The view taken here is that depth is the 
most distinguishing, definitive feature of higraphs, common to all variants. Harel’s 
original definition includes an extra feature which he called orthogonality and which 
is not treated here. It is our conviction, supported by preliminary results outside 
the scope of the present paper, that orthogonality can, at least mathematically, be 
regarded as an extension to the basic, “depth-only” higraphs considered here. 
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be regarded as a higher-level transition interrupting the operation of the subsys- 
tem comprising states (i.e. atomic blobs) B, C and D. When applied at multiple 
levels, depth therefore facilitates the concise representation of large systems by 
drastically reducing the number of edges required to specify the transition rela- 
tion among states. Thus, for instance, the higraph on the left of “ : ” in 





concisely represents the transition system on the right^. 

3 Categories of Higraphs 

We begin with a set-theoretic definition of our notion of higraphs, based on 
Harel’s [4]: 

Definition 1. A higraph is a 5-tuple {B,<b, E,<e, s,t), where B and E are 
respectively the sets of blobs and edges, <b is a partial order on B, <e is a 
partial order on E, and s,t ■ E ^ B are monotone functions giving, for each 
edge e € E, its source blob s(e) and target blob t{e). □ 

In practice, a higraph typically arises as a graph {B, E, s, t) together with a 
partial order <b on B. In that case, the poset structure on E may be taken to 
be the discrete one. However, other choices of orders on E may be useful, e.g. 
for encoding the conflict resolution schemes [6] adopted in Statecharts. 

Thus, each higraph x is> essentially, a pair of “parallel” monotone functions 
Xs = s : xe — >■ Xb and xt = t ■ Xe Xb, with common domain the poset 
Xe = (E,<e) and codomain xb = {B,<b)- By taking into account the two 
implicit identity functions on B and E, which are trivially monotone, every such 
pair is exactly a functor x from the category consisting of two objects 
and two non-identity arrows as shown, to the category Poset having all (small) 
posets as objects and monotone functions as arrows. We have therefore arrived 
at a categorical formulation in which a higraph is regarded as a functor from 
• ^ • to Poset. 

Notation 1 Hereafter we shall denote such functors x, x” ■ ■ ■ > ^^,d implic- 
itly decompose them as x = {s,t : E ^ B), xf = [s' ,t' : E' — >■ S') and so on, 
unless specifically indicated otherwise. 

^ In Statecharts, however, either B or C would normally be designated as the default 
state within A, thus resulting in a less general interpretation. We have chosen not 
to add such a device to higraphs in the present paper, for reasons of generality and 
simplicity of exposition. 







An Algebraic Foundation for Higraphs 149 



3.1 Morphisms of Higraphs 

Definition 2. Given any two such functors \ o,nd , o, natural transformation 
T from X to x' > denoted r : x consists of two monotone functions tb '■ B ^ 

B' and te ■ E ^ E' such that tb ° s = s' o te and tb ° t = t' o te ■ □ 

In pictorial terms, a natural transformation t : x ^ x' provides an image of 
X into x' while preserving the two pertinent visual relations in higraphs (con- 
tainment of blobs and attachment of edges). As such, natural transformations 
among functors from • ^ • to Poset provide an intuitive account of morphisms 
between higraphs. 

Notation 2 Let, as usual, Poset] denote the category having all functors 
from to Poset os objects, and all natural transformations among them as 
arrows. Hereafter we shall abbreviate this category as H and regard it as our base 
category of higraphs and their morphisms. 

4 A Binary Operation on Higraphs 

Diagrammatic representations of complex reactive systems directly in terms of 
simple (or “flat”) state-transition diagrams become impractical owing to the 
large number of states involved. Statecharts deal with this problem by allowing 
the modelling of reactive systems directly in terms of their identifiable concurrent 
subsystems: consider for instance the (very simple) Statechart 
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representing two subsystems A and D operating concurrently. Assuming an in- 
terleaving model of concurrency, as is the case with Statecharts, the meaning of 
this picture is captured precisely by the operation 
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where the resulting transition system is exactly the intended behaviour of the 
complete system. Thus the diagrammatic device employed enables the represen- 
tation of a system having n x m states using only n + m blobs. 

This operation, which in [4] is referred to as “a sort of product of automata”, 
is shown here to extend smoothly to higraphs. This is an essential step in pin- 
pointing the precise mathematical structures underpinning the semantics of Stat- 
echarts. For, more generally, the specifications of the subsystems (such as A and 
D in our example Statechart) typically bear higraph structure. 



4.1 Monoidal Product of Higraphs 

Notation 3 Given posets A and B, write Ax B for their (cartesian) product 
partially ordered pointwise, and A + B for their disjoint union. 0 will denote the 
empty poset, whereas 1 will stand for the poset over the singleton {*}. For any 
poset A, A X 0 will henceforth be regarded as identical to 0, whereas A -|- 0 will 
be identified with A. 



Definition 3. Given higraphs y = s,t : if — >■ B and x = s',t' : E' — >• B' , their 
monoidal product x® x' defined as having 

— poset of blobs the cartesian product B x B' 

— poset of edges {E x B') + {B x E') 

— source function given by the mappings (e, b') i— >■ (s(e), b'), and target function 

given similarly. □ 

The definition of 0 also extends to morphisms: 

Definition 4. Given arrows h \ xi ^ X 2 and h' : x'l X 2 where Xi = 

Sj, ti : Ei ^ B^ and y' = s', t' : if' i?', let h ® h' : xi ® X 2 ^ x!i® x '2 
natural transformation with components determined by the mapping (61, 6^) 1— >■ 
{h{bi) , h' (b'l)) on blobs and (ei,b'i) >->■ {h{ei) , h' (b'l)) , {b,e[) {h{b) , h' {e[)) on 

edges. □ 

Our product of higraphs is associative, in the sense that an isomorphism of 
higraphs^ c«x,x'.x" ■ X® ix' ® x") ix® x') ® x" exists for every triple of hi- 
graphs, and is subject to the usual coherence conditions [7] (p. 161). On blobs, for 
instance, the effect of a is determined by the mapping (&, (6', b")) >->■ {{b, b'),b"). 
The operation ® is also symmetric insofar as an isomorphism Xx,x' '■ X® x' ^ 
x' ® X exists for every pair of higraphs, determined by the mappings (e, b') 1— >■ 
1', I {b, e') ^ (e', b)L {b, 6') lx (6', b). 

Definition 5. Let * be the higraph with blob poset 1 , edge poset 0, and source 
and target functions given by the unique monotone function from 0 to 1 . □ 

® I.e. morphism of higraphs both of whose components are isomorphisms in Poset. 
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The higraph * acts as a unit for ® in the sense that isomorphisms Px ■ X ® 

X and Ax : * 0 X X exist for every x- Routine calculation confirms that a, A, 
p and 7 satisfy the coherence conditions [7] (p. 158, 159) necessary to show the 
following 

Theorem 1. ("H, 0 , *, a, A, p, 7 ) is a symmetric monoidal category. 

Given this symmetric monoidal structure on "H, every pair x> x' of higraphs 
determines very naturally an intuitive higraph [x, x'] in which the blobs corre- 
spond to all morphisms in % from x to x' &nd the edges capture all transforma- 
tions^ between them: 

Definition 6. Define the higraph [x^x"] having 

— blobs B all morphisms h : x' ^ x" ^ ordered pointwise as pairs of arrows 
in Poset; 

— poset E of edges consisting of all {h, r, h') G B x [B', E''] x B, where [B' , E"] 
is the poset of all monotone functions from B' to E” , such that s"(r(&')) = 
h{b') and t"(r( 6 ')) = h'{b'); 

— source and target functions given by the evident first and third projections 

from E into B. □ 

Moreover, an arrow evalx,x' : [x> x']® X x' always exists subject to the 
following universal property: for every other arrow / : x" G X X^ in a unique 
arrow /' : x" X exists in % such that evalx.x' ° if' ® idx) = /• In this case one 
says that the symmetric monoidal structure on H is closed [7] (p. 180). Indeed: 

Theorem 2. The symmetric monoidal category ("H, G, a. A, p, 7 ) is closed. 

Proof. One straightforwardly calculates that evalx,x' components given by 
the mappings (h,b) 1 — >■ h{b) and {{h,T,h'),b) 1 — >■ r(6) (where h, h' are arrows 
from X to x' tn TL and t is a transformation from h to h') has the universal 
property required. 



5 Zooming Out 

We begin our analysis with the simplest, and most frequently occurring in prac- 
tice, instance of a zooming operation on higraphs: the selection of a single blob 
and the subsequent removal from view of all blobs contained in it. An example 
is illustrated in the transition from the left to the right half of Figure 2. 

To capture the notion of selecting a blob in a higraph we introduce the 
following: 

Given any two morphisms h,k ■. \ ^ x! b. transformation from h to fc is a 

monotone function a : B ^ E' such that s”(r(b)) = h{b) and t''{T{b)) = k{h) for all 
bG B. 
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Fig. 2. Zooming out of a blob in a higraph. 



Definition 7. A pointed higraph ip consists of an ordinary higraph \ together 
with a distinguished blob in x called the point of ip- This is tantamount to defin- 
ing a pointed higraph as an arrow i/' : * — >■ X ^ from -k, the higraph consisting 
of a single blob and no edges, to x- n 



Definition 8. A morphism from a pointed higraph : k ^ x lo a pointed hi- 
graph Ip' : k ^ x' is a morphism m : x ^ x' such that ip' = mo ip. □ 

That is, m sends the point of ip to the point of ip'. Thus, the category "H* of 

pointed higraphs is the comma category [7] (p. 46) k 

Notation 4 Let TLt^.min be the full subcategory of "H* consisting of all objects 
(pointed higraphs) in which the point is minimal wrt. the partial order on blobs; 
in other words, the point is an atomic blob. Let L be the full functor including 
TLit.rnin ’^nto TL,,. 

The operation of zooming out may thus be approached at first as a function 
Z from the objects of "H* to the objects of since, in essence, it reduces 

the point (selected blob) oi ip to a, minimal point in Z{ip). 

Definition 9. Let ip : k ^ x be a pointed higraph with x = {s,t : E ^ B) and 

point, say, p € B. Formally, Z(ip) is determined by the following data: 

— blobs: B' = B \ {b \ b < p} (ordered by the restriction to B' of the partial 
order on B ); 

— edges: E, with the source and target functions being qos and qot respectively, 
where q : B ^ B' is the (obviously monotone) function mapping each b ^ p 
in B to b G B' and each b < p to p G B' ; 

— point: p □ 

Thus, any edges emanating from or targeting sub-blobs of the point p in ip 
have their source or target fixed accordingly to the new, minimal point in Z{ip)^. 

One now observes that, while the essence of Z is to turn the point of ^ to a 
minimal point, it does so “least disruptively” wrt. the structure of ip. This latter 

® Thus, edges contained entirely within p in ip become endo-edges on p in Z{ip) and 
may be subsequently removed, if required, by means of a straightforward operation 
on pointed higraphs. 
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observation suggests that the effect of Z is precisely captured by a universal 
property corresponding to an adjunction of functors. 

The universal property in question is formulated in terms of a family : rp ^ 
I{Z{'tp)) of arrows in "H*, one for each object ip. It states that for each pointed 
higraph of the form I {ip'), that is one with minimal point, and arrow f : ip ^ 
I {ip') there is a unique arrow /' : Z{ip) — >■ ip' in making 



iP 



"^I{Z{iP)) 




I{f) 



I{iP') 



commute. If this universal property holds, Z may be extended to a functor which 
is called a left adjoint to I, with the family rj being referred to as the unit of the 
adjunction [7]. Indeed, this is so in our case: 



Theorem 3. The function Z extends to a functor from "H* to TLi^^min which is 
left adjoint to the inclusion functor I. 

Proof. Let ip = {s,t : E ^ B). It is routine to verify that ? 7 ^ = (id^;, q) (with q as 
given in Definition 9) is an arrow in "H* from ip to I{Z{ip)) = {q o s,q o t : E ^ 
B'). Given any other arrow f = (fEifs) '■ ^ -f(V’) T~L*, the component fs 

induces a unique monotone function f'g-.B^B' (the one mapping each b € B' 
to fB{b) ) such that f'gOq= fs- Then f' = {fE, f's) ■ '>P H'f’) is the unique 

arrow in such that I {f')orj^ = f as required. It now follows from Theorem 

IV.2(ii) of [7] that the function Z extends to a functor which is left adjoint to 
the inclusion I. 



5.1 Generalising Zoom-Outs 

We now seek to generalise the zoom-out operation on higraphs so that detail is 
selectively suppressed throughout a chosen part of a given higraph, rather than 
only within a single blob. In particular, this allows the precise selection of which 
specific sub-blobs are to disappear from view. In the example of Figure 3, the 




Fig. 3. Example of generalised zoom-out on higraphs. 



sub-blobs B and C of A in higraph on the left are selectively discarded from view 
resulting in the higraph pictured on the right. 
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Connected Components in Partial Orders. Consider the functor <5 : Set — 
Poset taking each set to the discrete partial order over the same elements, 
and the functor tt : Poset — >■ Set giving for each poset A its set of connected 
components. Explicitly, t^{A) is the quotient set ^/~, where ~ is the equivalence 
relation generated by a a' or a' a. 

Proposition 1. tt is left adjoint to S. 

Proof. Routine calculation reveals rjA ■ A ^ (5(7r(yl)), defined as mapping each 
a G A to to have the required universal property. 

The functors tt and <5 induce corresponding functors U : ^ , Poset] —>■ 

^ , Set] and D : [• • , Set] — >■ ^ , Poset] . 

Definition 10. Given any object g o/[-^-,Set] (that is, a graph), D{g) is the 
higraph produced by the discrete partial orderings on both the edges and vertices 
of g. On the other hand, n(x), where y = (s,t : if — >■ B), is the graph having: 

— sets of edges tt{E), the connected components of E; 

— set of nodes tt{B), the connected components of B; 

— source function the unique arrow s' : tt{E) -g tt{B) in Set, asserted by the 
universal property of the adjunction in Proposition 1, such that 5{s') orjE = 
riBos in Poset] (where rj is the unit of the adjunction in Proposition 1); 

— target function given similarly. □ 



Proposition 2. II is left adjoint to D. 

Proof. A routine verification shows that each arrow ■ X ^ ^(^(x)) in H = 
Poset] with components {r]E,VB) (given by the unit of the adjunction in 
Proposition 1 ) has the requisite universal property. 

As an example consider the mapping. 




in which the partial ordering on edges is assumed for the higraph pictured on 
the left of 



Zooming-Out as a Pushout Construction. Recalling that we are generalis- 
ing zooming-out to part of a given higraph y, one first selects the required part 
(sub-higraph) by means of a monomorphism®, m : ct — >■ y. In the example of 
Figure 3, a would be the higraph 

® I.e. morphism of higraphs both of whose components are injective functions. 
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and m would be its inclusion into the left-hand side of Figure 3 . 

Rewriting the selected part involves the reduction of (the image in x of) cr 
to its connected components wrt. the partial orders involved. Thus the rewrite 
step is captured precisely as the morphism r]„ \ a ^ DU (a) mapping the blobs 
and edges in cr to the connected components in which they belong. Specifically, 
?7 ct is the component at a of the unit of the adjunction in Proposition 2 . 

Assume now Z{m) to be a candidate higraph for the result of our zooming- 
out operation given m. In Z{m), the occurrence of cr in y specified by m must 
be rewritten as DU {a). Thus, a morphism / : DU (a) — >■ Z{m) must exist wit- 
nessing this and, moreover, a morphism 5 : y — >■ Z(m) must also exist making 
the square 



^ Dn{a) 



m 



f 



t i 

X — ^ Z{m) 



( 1 ) 



in Ti commute. 

One now observes that Z{m) is the required higraph if it satisfies a particular 
universal property: given the morphisms m and 770-, any other pair of morphisms 
/' : DU (a) — >■ z' and g' : y — >• z' into another candidate z' such that f o rja = 
g' om induces a unique morphism u : Z{m) — >■ z' such that both f = uo f and 
g' = uog. 

A square such as ( 1 ) above with this property is called a pushout square. 
The universal property in our case expresses precisely that Z{m) contains no 
edges or blobs which are not in y or DU (a) and that it is obtained in the “least 
disruptive” way wrt. the structure of y. 

The following definition provides an explicit description of the required hi- 
graph Z{m)\ 

Definition 11 . Let m : cr — >■ y &e o monomorphism in H, where y = (s, t : FI — >■ 
B) and a = {s' ,t' : E' — >■ B'). Define the higraph Z{m) as having: 

— blobs: Bj^rn, where is the least equivalence relation on (the set un- 
derlying) B containing all pairs (m(6(), 777(62)) such that r]a-{b'i) = r]a-{b'2), 
partially ordered by [61] < [62] iff bi <b 62; 

— edges defined similarly to the case for blobs above; 

— source and target functions sending each [e] to [s(e)] and [t{e)] respectively. 

□ 
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Theorem 4. For every monomorphism m : a ^ \ there exist arrows / and g 
such that square (1), with Z{m) as in Definition 11, is a pushout square in FL. 

Proof. Outline: g is defined to map every element (i.e. blob or edge) x in x to 
its equivalence class [x] in Z{m). The arrow f maps every element [s], which by 
definition of D II {a) is an equivalence class of elements in a, to [m(s)] in Z{m). 
The universal property follows from the properties of the quotients involved in 
the definition of Z{m). 



The Special Case of Single-Blob Zoom-Out. We conclude this section 
by recasting single-blob zoom-out as an instance of the generalised zoom-out 
operation. 

Proposition 3. Let x 6e a pointed digraph with point p, and \<p be the 

digraph with no edges and blobs allb < p in Denote by m the inclusion of \<p 
into X o,nd by z{ifi) be the ordinary digraph underlying Zfifi) as in Definition 9. 
Then 



X<p 



X ■ 



9 ^ 



Dn{x<p) = * 

zm 



where is the instance at x<p of the unit of the adjunction in Theorem 3, is 
a pushout square in TL. 

Proof. For conciseness, we have identified Zfif) o i, where i is the isomorphism 
Dn{x<p) = with Z{ip). Taking this convention into account the square is 
easily seen to commute by the definition ofr],/,. 

Assume now arrows f : DII{x<p) — >■ x' ond g = {gE,gB) : x ^ x' tn TL to 
be such that g o = f o . Form the arrow u : z{ip) — >■ x' mapping each edge 
[e] = {e} in z{fi) to gsie) and each blob [6] in z{tfi) to gsib). This is easily seen 
to be the unique such arrow satisfying uo g,/, = g and u o Z{ip) = f. 



6 Completion of a Higraph 

Another operation, useful in understanding the semantics of higraphs, is to ex- 
plicate all edges which are understood as being implicitly present in a higraph. 
Recall that the intuition underlying the interpretation of higraphs is that any 
edge between blobs b and b' implies the presence of “lower-level” , implicit edges 
from all blobs contained in b to all blobs contained in b' . The effect of our “com- 
pletion” operation is illustrated in Figure 4. 

We now proceed to formalise this construction and formulate the universal 
property from which it arises. 
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Fig. 4. Completion of a simple higraph, where the added edges are shown dashed. 



Definition 12. Let x = s,t : E ^ B be a higraph. The higraph T(x)> called the 
completion of x, is determined by the following data: 

— edges: the subset of E x (B x B) consisting of those pairs (e, (6, b')) such that 
b <B s(e) and b' <b t{e), partially ordered by (ei, {bi, b'l)) < (c2, (627 b'2)) iff 
Cl <E 62, bi <B b2 and b[ <b b'2; 

— blobs: B; 

— source and target functions given respectively by the (monotone) mappings 

{e,{b,b'))^b and {e,{b,b'))^b'. □ 

Notice, in particular, how each “added” or “new” edge in T(x) becomes “less 
than” the one from which it is derived. In order to formalise this observation, 
we require a non-strict notion of morphism capable of mapping T(x) into x- 

Definition 13 . An oplax natural transformation r from x to x' (functors from 
to Posetj consists of the same data as a (strict) natural transformation 
except that the naturality condition reguires that 

tb o s Q s' o te and tb o t \Zt' o te ■ 

Here □ is the usual partial order on the set [A, B] of all monotone functions 
from poset A to poset B whereby f Q g iff f{a) <b g{a) for all a G A. □ 

Notation 5 Hereafter we abbreviate Oplax[- ^ Poset], the category having all 
functors from to Poset as objects with oplax natural transformations as 
arrows, as TLq. 

Clearly, as every (strict) natural transformation is also an oplax one, an 
inclusion functor J : H. ^ Hq exists. 

Theorem 5 . The function T extends to a functor T : He — >■ H which is right 
adjoint to the inclusion J : H ^ He ■ 

Proof. (Sketch) For every x with edges E and blobs B, let : J(T(x)) X, 
where J is the inclusion ofH into He, be the oplax morphism sending each edge 
(e, (6, &')) to e and acting like the identity on the common set of blobs B. The 
resulting family e of morphisms satisfies a universal property dual to that of the 
unit in an adjunction: every arrow f : J(x') X induces a unigue arrow 

f : x' ^ T(xO H such that f = J{f). One now appeals to Theorem 

IV. 2 .(iv) of [ 7 ]. 
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7 Higraphs with Loosely Attached Edges 

A mild extension to higraphs is briefly introduced in [4] permitting edges to be 
“loosely” attached to nodes, the four possibilities being illustrated in 




The rationale is to indicate transitions or relations between some as yet unspec- 
ifled parts of the represented system. 

We cast such an extended higraph with blobs B as an ordinary one having 
the same edges but containing two distinct copies (0, b) and (1, 6) of each b € B, 
tagged with O’s and I’s. In the pictorial representation of such extended higraphs 
the convention is that blobs tagged with 0 are not shown at all and that, for 
instance, an edge with target of the form (0, b) has its endpoint lying inside the 
contour picturing b. 

Moreover one stipulates that (0,6) < (1,6) for all 6, to capture the intuition 
underlying the pictorial representation. Any edge (i, 6) — >■ (j, 6') will be called 
non-firm if i = 0 or j = 0. 



Definition 14. The category LTL of higraphs with loosely attached edges has 

— objects: all pairs of parallel arrows = s,t : E — >■ (•—>■• x S) in Poset, 
where ■ ^ ■ is the poset 0 < 1; 

— arrows: from (j) = {s,t : E ^ ^ ■ x B) to 4>' = (s', t' : A' x B') all 

pairs m = (mo : B — >■ B', m\ : E — >■ E') such that 



E 



mi 



E' 



{■^■xB) 



id._>. X mo 



^ • X B') 



commutes, and similarly for the corresponding square with sides t and t' ; 

— evident identities and composition defined componentwise. □ 



Let U : CH — "H be the functor sending each in CH with blobs ■ ^ ■ x B 
and edges E to the higraph obtained by “forgetting” the non-firm edges of 0. 
That is, U (0) has blobs B and an edge e : 6 — >■ 6' for each edge e : (1, 6) — >■ (1, 6') 
in 0. Consider now the function J\ sending each y = (s, t : if — >■ B) in "H to 
J{x) with blobs • — • x B and an edge e : (1, 6) — >■ (1, 6') for each edge e : 6 — >■ 6' 
in X- 



Proposition 4. The function J\ extends to a functor which is left adjoint to 
U. 
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Proof. It is routine to verify that the arrows % : X — >■ U{J\{x)) with components 
given by the identities have the required universal property. 

8 Outlook and Future Work 

This work is part of a project, drawing on cognitive, computational and mathe- 
matical views of diagrams, to research principles which will improve the design 
of diagrammatic, domain-specific programming languages. 

Typically the diagrams used in practice contain a multitude of subtly in- 
teracting features. This situation neccesitates an analytic approach to identify 
suitable primitive structures and ways of combining them. Higraphs, featuring 
only an underlying graph structure and depth (hierarchy), appear as being an 
excellent point of departure in the study of diagrammatic features and their 
interaction. 

Specifically with respect to higraphs and their applications, we aim to con- 
sider additional features (such as labelling and Harel’s “orthogonality”) towards 
obtaining a structured account of simple Statecharts. 

References 

1. M. Barr and C. Wells. Category Theory for Computing Science. Prentice-Hall, 
1990. 

2. Zinovy Diskin, Michael Johnson, Boris Kadish, and Frank Piessens. Universal 
arrow foundations for visual modelling. In Proceedings of Diagrams 2000, number 
1889 in Lecture Notes in Artificial Intelligence, pages 345-360, 2000. 

3. David Harel. Statecharts: A visual approach to complex systems. Science of 
Computer Programming, 8(3):231-275, 1987. 

4. David Harel. On visual formalisms. Communications of the ACM, 31(5), 1988. 

5. David Harel. On visual formalisms. In J. Glasgow, N.H. Narayanan, and B. Chan- 
drasekaran, editors, Diagrammatic Reasoning: Cognitive and Computational Per- 
spectives, pages 235-272. AAAI Press/The MIT Press, 1995. 

6. David Harel and Amnon Naamad. The STATEMATE semantics of Statecharts. 
ACM Transactions on Software Engineering Methodology, 5(4), October 1996. 

7. Saunders MacLane. Categories for the Working Mathematician, volume 5 of Grad- 
uate Texts in Mathematics. Springer- Verlag, 1971. 

8. F. Maraninchi. The Argos language: Graphical representation of automata and 
description of reactive systems. In Proceedings of the IEEE Workshop on Visual 
Languages, 1991. 

9. Bonnie M. Nardi. A Small Matter of Programming: Perspectives on End-User 
Computing. MIT Press, 1993. 

10. Rob Pooley and Perdita Stevens. Using UML. Addison Wesley, 1999. 

11. John Power and Konstantinos Tourlas. An algebraic foundation for graph-based 
diagrams in computing. In Proceedings of the 1 7th Conference on the Mathematical 
Foundations of Programming Semantics (MFPS), 2001. To appear. 




Semantic Characterisations of Second-Order 
Computability over the Real Numbers* 



M.V. Korovina^ and O.V. Kudinov^ 

^ Institute of Informatics Systems, Lavrent’ev pr., 6, 
Novosibirsk, Russia 
ritaSinet . ssc . nsu . ru 
^ Institute of Mathematics, Koptug pr., 4, 
Novosibirsk, Russia 
kudOmath .nsc.ru 



Abstract. We propose semantic characterisations of second-order com- 
putability over the reals based on X'-definability theory. Notions of com- 
putability for operators and real-valued functionals defined on the class 
of continuous functions are introduced via domain theory. We consider 
the reals with and without equality and prove theorems which connect 
computable operators and real-valued functionals with validity of finite 
X-formulas. 



1 Introduction 

To investigate semantic properties of computable operators and real- valued func- 
tionals we use the concept of generalised computability firstly proposed in [20]. 
This concept is a result of development of two well-known non-equivalent ap- 
proaches to computability over the real numbers. 

The first one is related to abstract machines and scheme of computations 
(e.g. [5,26,14]). The result of this computation is defined by a finite algorithm. 
Semantic characterisations of computable functions have been given in [25,6,10] 
from the point of view of definability. In this approach equality is usually used 
as a basic relation so a computable function can be discontinuous. It diverges 
from the situation in concrete computability over the reals, in particularly, in 
computable analysis. 

The second approach ( e.g. [17,28,29,30,16,7,8,11,35,36,37]) is closely related 
to computable analysis. In this approach computation is an infinite process which 
produces approximations closer and closer to the result. We work in the frame- 
work of the second approach. The main result of our paper is an application of 
definability theory, which was originally used in the first approach, to charac- 
terisation of an infinite computational process via validity of finite X-formulas. 
This paper structured as follows. 
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In Section 2, we give basic definitions and tools. We study properties of 
operators and functionals considering their generalised computability relative 
either to the ordered reals with equality, or to the strictly ordered reals without 
equality. 

In Section 3 we introduce notions of second-order computability via domain 
theory. In this work, to construct computational models for operators and func- 
tionals we will use continuous domains. Continuous domains, e.g. 
[29,30,16,7,8,11,35,36,37], are generalisation of algebraic domains, e.g. [2,27,32,33]. 
The continuous domain (more precisely, the interval domain) for the reals was 
first proposed by Dana Scott [29] and later was applied to mathematics, physics 
and real number computation in [7,8,36,37,27] and other publications. In this sec- 
tion we propose continuous domains, named as function domains to construct a 
computational model of operators and real-valued functionals defined on the set 
of continuous real- valued functions. 

In Section 4 we give semantic characterisations of computable operators and 
real- valued functionals. 

In Section 5 we provide some concluding remarks. 



2 Generalised Computability 

2.1 Terminology 

Throughout the article we consider two models of the real numbers, 

< IR, (7i >^< IR, 0, 1, -h, •, <, —X, f > is the model of the reals without equality, 
and < IR, (J 2 >^< IR, 0, 1, -h, •, <> is the model of the reals with equality. Below 
if statements concern the languages CTi and CT 2 we will write cr for a language. 
Denote D 2 = {2 • 2“"|z G 7Z, n G IN}. Let us use r to denote ri, . . . ,rm- 



2.2 Basic Definitions 

To recall the notion of generalised computability, let us construct the set of here- 
ditarily finite sets HF(M) over a model M. This structure is rather well studied 
in the theory of admissible sets [3] and permits us to define the natural numbers 
and to code and store information via formulas. Let M be a model of a lan- 
guage a whose carrier set is M. We construct the set of hereditarily finite sets, 
HF(M) = U„6^S„(M), where So(M) ^ M, S„+i(M) ^ P^(S„(M)) U Sn(M), 
where n G oj and for every set B, Vuj{B) is the set of all finite subsets of B. 

We define HF(M) ^ (HF(M), M, cr, 0hf(m), £hf(m)) , where the unary 
predicate 0 singles out the empty set and the binary predicate symbol Ghf(m) 
has the set-theoretic interpretation. 

Below we consider M H, the language without equality cr} = cti U {g, 0}, 
and the language with equality cr^ = CT 2 U {g, 0|. 

Below if statements concern the languages cr} and ct} we will write cr* for a 
language. 
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To introduce the notions of terms and atomic formulas we use variables of 
two sorts. Variables of the first sort range over IR and variables of the second 
sort range over HF(IR). 

The terms in the language a* are defined inductively as follows: 1. the con- 
stant symbols 0 and 1 are terms; 2. the variables of the first sort are terms; 3. if 
ti,t 2 are terms then ti + t 2 , t\ ■ t 2 , — ti, y are terms. The notions of a term in 
the language crj can be given in a similar way. 

The following formulas in the language a* are atomic: ti < t 2 , t G s and 
Si G S 2 where ti,t 2 ,t are terms and si,S 2 are variables of the second sort. The 
following formulas in the language crj atomic: ti < t 2 , t G s, si G S 2 and 
ti = t 2 where t\,t 2 , t are terms and si, S 2 are variables of the second sort. 

The set of Ao-formulas in the language a* is the closure of the set of atomic 
formulas in the language a* under A,V,-i, (3x G s) and (Vx G s), where (3a: G 
s)(p denotes 3a;(a; G s A (p) and (Va; G s) (p denotes Vx(x G s —>■ (p) and x, s are 
variables of second type. 

The set of S -formulas in the language a* is the closure of the set of Aq 
formulas in the language a* under A, V, (3a; G s) , (Va; G s) , and 3. The natural 
numbers 0, 1, . . . are identified with 0, {0, {0}}, ... so that, in particular, n-|-l = 
n U {n} and the set w is a subset of HF(IR). 

Definition 1. A relation B C HF(IR") is B-definahle in a* , if there exists 
a S -formula <l'{x) in the language a* such that x G B gg HF(IR) ^ <h>{x). A 
function is B -definable if its graph is B-definahle. 

Note that the set IR is Z\o-definable in the language a*. This fact makes HF(IR) 
a suitable domain for studying relations in IR" and functions from IR" to IR 
where n G tv. To introduce the definition of generalised computability, we use 
the class of V-definable sets as a basic class. So, we recall some useful properties 
of V-definable subsets of IR". 

Proposition 1. 1. If a set A is B-definable in the language crj then A is B- 

definable in the language a*. 

2. The sets HF(0), uj and the predicate of equality on HF(0) are B-definable 
in the language a* . 

3. The set {(n,r) \ n is a Gddel number of a B- formula <1, r G IR, and 

HF(IR) ^ is B-definable in the language a* . 

4- A set B C IR" is B-definable in the language a* if and only if there exists an 
effective sequence of quantifier free formulas in the language a, {<?s(a;)}sgt,,, 
such that X G R GG IR 1= Vsei^ 

Proof. The parts 1.-3. can be easy proved by technique developed in [3,10,20]. 
The parts f. immediately follow from the part 3. □ 

Below we will write (3n G IM) d>{n, x) instead of V„ x) and (3n G D 2 ) <?(n, x) 
instead of V„ m V d>(^,x)'^, where 0 = 0 ,..., n-h 1 = n-h 1. 

Without loss of generality we consider the set of continuous functions defined 
on compact intervals with endpoints which are computable numbers in the sense 
of computable analysis (e.g. [28]). 




Semantic Characterisations of Second- Order Computability 



163 



To introduce generalised computability of operators and functionals we ex- 
tend the languages a* and ctJ by two 3-ary predicates U\ and C/2- 

The following technical defintinion turns out to be rather clear in the frame- 
work of Deninition 3 and Definition 4. 

Definition 2. Let ipi{Ui,U 2 ,xi,X 2 ,c), Lp 2 {Ui,U 2 ,xi,X 2 ,c) be formulas in the 
language a* . We suppose that U\, U2 occur positively in ipi, (p2 and the predicates 
Ui, U2 define open sets on IR^. The formulas pi, (p2 are said to satisfy joint 
continuity property if the following formulas are valid in HF(IR). 

1 . Va:iVa;2Vx3Vx4Vz ((xi < X3) A {xi < X2) A C/2, x\,X2, z)) —>■ 

‘Pi{Ui,U2,X3,X4,z), for i=l ,2 

2 . VxiVa;2VcV2; {{z < c) A <pi{Ui, U2,Xi,X2, c)) -)> (pi{Ui,U2,Xi,X2, z), 

3 . Va;iVa;2VcVz {{z > c) A ip2{Ui, C/2, xi,X2, c)) — >■ (fi2{Ui,U2, xi,X2, z), 

4. 'ixiix2ixfdz {(pifUi, C/2, a;i, X2, z) A (^i(C/i, C/2, X2, X3, z)) 

<Pi{Ui,U2,xi,X3,z), for i=l,2, 

5 - (Vj/iVj/232;VziV22(C/i(yi,2/2,2i) A U2{yi,y2,zi) (zi < z < Z2))) 
(VxiVx23cVciVc2((/Ji(C/i,C/2,xi,a:2,ci) A (/?2(C/i, C/2, a;i, X2, C2) 

(ci < c < C2))). 



Definition 3. A partial operator F : C[a, 6] — >■ C[c,d\ is said to be shared by 
two S -formulas ipi and ip2 in the language a* if the following assertions hold. 
For every u G C'([a, 6]) and h G C{[c,d\), F{u) = h holds if and only if 

M[xi,x2] > z ■H’ HF(IR) 1= ipi{Ui,U2,xi,X2,z) and 
Mw,X2] < Z ^ HF(IR) 1= ip2{Ui,U2,Xi,X2,z), 

where C/i(xi, a;2, c) ^ u\[xi,x2] > c,U2{xi,X2,c) ^ u\[xi,x2] < c and the predi- 
cates Ui and U2 occur positively in pi, ip2- 



Definition 4. A partial operator F : C[a, b] — >■ C[c, d] is said to be generalised 
computable in the language a* , if F is shared by two E-formulas in the language 
a* which satisfy the joint continuity property. 



Definition 5. A partial functional F : C[a, b] x [c, d] — >■ IR zs said to be gener- 
alised computable in the language a*, if there exists an operator F* : C[a,b] — >■ 
C[c,d\ generalised computable in the language a* such that F{f,x) = F*{f){x). 



Definition 6. A partial functional F : C[a, 6] x IR — >■ IR is said to be generalised 
computable in the language a*, if there exists an effective sequence of 

operators generalised computable in the language a* of the types F* : C[a, b] — >■ 
C[—n, n] such that F{f, x) = y (— n < x < n ^ F*{f){x) = y) . 
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2.3 Generalised Computability in the Various Languages 

Now we prove the main theorem which connects generalised computabilities in 
the various languages. 

Theorem 1. A continuous total operator F : C[a, b] — >■ C[c, d\ is generalised 
computable in the language with equality if and only if it is generalised eomputable 
in the language without equality. 

Proof. We outline the basic elements of the proof only. Without loss of gener- 
ality we consider a continuous operator F : C[0, 1] — >■ Cp, 1]. Assume that F is 
generalised computable in the language with equality. By definition, there exist 
A-formulas ipi, (p 2 in the language with equality which satisfy the joint conti- 
nuity property and share F. Let us construct new A-formulas (p'ff in the 
language without equality which satisfy the joint continuity property and share 
F. By properties of A-definable sets we have the following equivalence: 

Pi{Ui,U 2 ,x,y,z) \J 0i{Ui,U2,x,y,z). 

i^uj 

In the language with equality, for alH G w the formula 0i can be written in the 
form: 

0i ^ 3fi G Ui3f2 G U 2 'ipi{ri,f 2 ,x,y,z), 

where ipi is a quantifier free formula. By the definition of U\, U 2 , the tuples 
fi , f 2 can be represented in the following way 

fi = (ai,/3i,7i) , . . . , {as,(3i,'js) , X2 = {ui,vi,wi) ,..., (us,Vi,Ws) . 



For fixed x, y, z € D 2 , using properties of open sets definable in M, we can 
effectively construct the set of 6s-tuples 

= {(fi,f2)} = {{ai, Pi, Ji, Ui, Vi, Wi,. .. ,as,Ps,^s, Us, Vs, Ws)} 



with the following properties: 

1. ai,Pi,-fi,ui,vi,wi,.. .as,Ps,^s,Us,Vs,Ws G Q n M, 

2. for each (fi,f 2 ) G there exists z G w such that 

HF(IR) ipi{fi,f 2 ,x,y,z), 

3. for all I C {!,..., s} and J C {!,..., s} such that P]i^j[ai,Pi] fl fjjgj 
[uj,Vj] 0 we have maxjg/ 7 i < minj^j wj. 

By construction, for each x,y,z G D 2 the set is computably enumer- 

able. Let us fix some numbering and denote 6s-typle numbered by j as ^f(, r0. 
Let us construct ^ in the following way: 



'<P'i,j{'r{,r^.^,x,y,z) 



0>1 \i^ipPr{,r^2^x,y,z), 

[r{ G C/i) A [rl^ G C/ 2 ) A pi{f{,f^.^,x,y,z). 
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Using Tarski’s quantifier elimination theorem for real closed fields, U-definability 
of T>2 and the following equivalences, 

(a,/?, 7) G C/i 77 3a,b,c G D2(((a < a < f3 < b) A {c> j) A Ui{a,b,c)) V 

((6 > / 3 ) A (c > 7) A C/i( 0 , b, c)) V ((a < a) A (c > 7) A Ui{a, 1 , c)) V ((c > 7) A 

C/i(0,l,c))), 

(a,/?, 7) G C/2 77 3 a, 6, c G D2(((a < a < /3 < &) A (c < 7) A U2{a,b,c)) V 

((6 > / 3 ) A (c < 7) A 1/2(0, b, c)) V ((a < a) A (c < 7) A U2(a, 1 , c)) V ((c < 7) A 

C/2(0,l,c))), 

we can construct a U-formula V’f j in the language without equality which is 
equivalent to j with respect to the predicates Ui and U2 such that 
Ui(xi,X2,c) ^ f\[xi,x2] > c,U2(xi,X2,c) ^ f\[xi,x2] < c for a continuous func- 
tion /. Put 

‘^'i{Ui,U2,x,y,z) ^ \J ^p”j(Ui,U2,x,y,z). 

ij&ui 

Let us define formula, which is equivalent to (pi(Ui,U2,x,y, z) for arbitrary 
x,y,z G K, the predicates Ui and U2 such that Ui(xi,X2,c) ^ f\[xi,x2] > 
c, U2(xi,X2,c) 7^ f\[xi,x2] < n for a continuous function /: 

(f'({Ui,U2,x,y,z) 77 3x',y',z' G D2(((x' < x < y < y') A (z' > z) A 
‘p'i(Ui,U2,x',y',z')) V ((y' > y) A (z > z) A <~p\{Ux,\J2,0,y ,z')) V 
((x' <x) A (z' > z) A <A>'x(V\-, U2,x', I, z')) V ((z' > z) A (p[(Ui,U2,0, 

Note that D2 and IR are U-definable in the language without equality. So the 
formula ipi(Ui, C/2, x, y, z) is equivalent to a U-formula ip'l'(Ui, C/2, x, y, z) in the 
language without equality for arbitrary x,y,z G IR, the predicates Ui and C/2 
such that Ui(xi,X2,c) 7^ /|pi,x2] > c, U2(xi,X2,c) 7^ f\[xi,x2] < c for a continu- 
ous function /. Similarly we can construct a U-formula in the language without 
equality ip2 which is equivalent to <^2- The formulas are the required ones. It 
follows from continuity of the operator F. By definition, the operator F is gen- 
eralised computable in the language without equality. □ 



Proposition 2 . Let F : C[a, 6] x IR — >■ IR &e o continuous total functional. Then 
the functional F is generalised computable in the language with equality if and 
only if it is generalised computable in the language without equality. 

3 Second Order Computability over the Reals 

In this section, we will use continuous domains to construct computational mod- 
els for operators and real-valued functionals. Continuous domains, e.g. 
[ 29 , 30 , 16 , 7 , 8 , 11 , 35 , 36 , 37 ], are generalisation of algebraic domains, e.g. [ 2 , 27 , 32 , 33 ]. 
The continuous domain (more precisely, the interval domain) for the reals was 
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first proposed by Dana Scott [29] and later was applied to mathematics, physics 
and real number computation in [7,8,36,37,27] and others. In this section we 
propose continuous domains, named as function domains to construct a com- 
putational model of operators and real-valued functionals defined on the set of 
continuous real-valued functions. 

3.1 Interval Domain for the Reals 

By the interval domain for the reals we mean the set of compact intervals of 
IR, partially ordered with reversed subset inclusion and endowed with the least 
element . 

We recall the definition of the interval domain I proposed in [8]: 

I = { [a, 6] C IR I o, 6 G M, a < 6} U {_L} . 

The order is reversed subset inclusion, i.e. _L C / for all / G I and [a, b] K [c, d\ 
iff a < c and d < b in the usual ordering of the reals. One can consider the least 
element _L as the set IR. Directed suprema are filtered intersections of intervals. 
The way-below relation is given by / <C J iff J C int(I), where int(I) denotes 
the interior of I. For the relation <C we have the following properties: T <C J 
for all J G I and [a, b] <C [c, d\ if and only if a < c and b > d. Note that I is an 
effective w-continuous domain. A countable basis 2 q is given by the collection of 
all intervals with rational endpoints together with the least element T. Similarly, 
we can define the interval domain T[a,6] for an interval [a, b]. 

The maximal elements are the intervals [a, a] denoted as {a}. We denote the 
set of maximal elements as max(I) . It is easy to see that the maximal elements 
with the subspace topology of Scott topology on X is homeomorphic to the real 
line with the standard topology. That is why we can identify a real number r 
with {r}. 

3.2 Function Domains 

In this subsection we introduce effective function domains which are effective 
w-continuous domains. Based on the notion of computability of mapping be- 
tween two domains we propose computability of operators and functionals de- 
fined on C[a,b]. The main feature of this approach is related to the fact that 
continuous operators and functionals defined on continuous real-valued functions 
can be extended to continuous operators and functionals defined on the corre- 
sponding function domain. Moreover, we propose a semantic characterisation of 
computable operators and functionals via validity of finite A-formulas. 

Let X be equipped with Scott topology ( for the definition we refer to [29,30,16]). 
We consider the set of continuous functions / : [o, 6] — >■ I defined on a compact 
interval [a, b] with computable endpoints. Let IR“ denote IR U {— oo} and IR^ 
denote IR U {-|-oo}. 

Definition 7. A function f : [a, b] — >■ IR“ is said to be lower semicontinuous if 
the set Yf~ = {x\f{x)^ — oo} is open w.r.t the standard topology and 

{yxo G Yf ^ (Vy < /(a;o)) 35 ([xq - x\ < S ^ y < f{x)) . 
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A function f : [a, b] — ?► IR"'' is said to be upper semicontinuous if the set = 
{x\f{x)^ + 00 } is open w.r.t the standard topology and 

(yxo G (Vy > /(xo)) 3i5 (|xo - x| < 5 -)> y > f{x)) . 

For the classical theory of semicontinuous functions the reader should refer a 
standard textbook (e.g. [4]). The reader can also find some properties of com- 
putability on continuous and semicontinuous real functions in [38] . It is easy to 
see that a continuous function / : [a, 5] — >• I is closely related to the pair of 
functions (/^ : [a, 6] — >■ IR“,/^ : [a, 6] — >■ where /^(x) = inf /(x) is lower 

semicontinuous and P{x) = sup /(x) is upper semicontinuous (see [11]). The 
function is called a lower bound of / and is called a upper bound of /. 
Below we denote Yf = {x|/(x) yf T} for / : [a, b] — >■ X. 

To introduce our notions of computable operators and real-valued function- 
als, we introduce functional domains which are effective w-continuous domains. 



Definition 8. Let a, b be computable real numbers. A function domainIf{[a, 6]) 
is the collection of all continuous functions f : [a, 6] — >■ I with the least element 
-L[o,6] partially ordered by the following relation: f Q g iff (Vx G [«,&]) (/(x) C 
g{x)) and C I for all I G If{[a,b]). 



The way-below relation <C is induced by C in the standard way. 

Proposition 3. For each compact interval [a, 6] with computable endpoints the 
function domain Xf {[a, b]) is an effective ui-continuous domain. 



Proof. The existence of A for each directed subset A Xf{[a,b]) follows from 
the properties of semicontinuous functions. Indeed, = ( sup^g^ /^, inf/g^ 
/^), where is the lower bound and is the upper bound of /. 

Let us prove that / = (,[./) for / G Xf{[a,b]), where ^f denotes the set 

{g G Xf{[a,b])\g <C /}. Let U be open and clU = U C Yf. The set ^f contains 
all functions of the type g^ = (a[[ 



'r{x) = 






(x) = 



'a^, c^), where 




—00 


if x^U, 




if X G C/, 


-boo 


if x^U, 


sup^Gd/^W + F 


if X G {/, 



By the properties of semicontinuous functions, y^{g'fj\U C Yf, n G w} = /, so 

vV = /- . 

It is obvious that the function domain Xf{[a,b]) is w-continuous. An example 
for a countable basis is the set Xffi{[a, b]) = {b„}„gi^ U {T[a,&]}, where the lower 
bound and the upper bound hf of b„ satisfy the following conditions: there 
exist a = Go . . . < Ui < . . . < Gn = b such that 



1. for all X G {ai,Gi+i) b)^(x) = —00 and b^(x) = -l-oo or b),(x) = a^x -I- Pi 
and b^(a;) = jiX + Q; 
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2 . if for X G (ai,ai+i) U (oi+i,ai+2) and are finite then b^(oi+i) = 

— Q^i+i^z+1 “t“ Pi+1 and b^((Zj_i_i) — ~t“ C* — Ci+i: 

3 . if bjj and b^ are infinite on (aj,Oi+i) then bjj(oi) = b^(oi+i) = — oo and 
b^ (oi) = b2(oi+i) = +00, where a^, a*, A, 7*, ^ G D2. 

Using the standard numbering of the set of piecewise linear functions with coef- 
ficients from D2, it is easy to prove that I/^o([a, b]) is countable and effective. □ 



3.3 Second Order Computability 

Now we introduce notions of computable operators and computable functionals 
defined on total continuous real- valued functions. Below we use the standard 
notion of continuity of a total operator F : If ([a, 6]) — >■ If{[c, d]) w.r.t. the Scott 
topologies on If{[a,b]) and I/([c, d]). 

Definition 9. Let If{[a,b]), I/([c, d]) be some function domains and If^ 
([a, 6]) = Iffi([c,d]) = be their effective bases constructed as 

in Proposition 3. A continuous total operator F : If{[a,b]) — >■ I/([c, d]) is com- 
putable, if the relation «C i^(b„) is computably enumerable in n and m, where 
b„ Glfp{[a,b\) and CmGlffi{[c,d\). 



Definition 10. A partial operator F : C[a, b] -G C[c, d] is computable, if there 
exists a computable operator F* :If{[a,b]) — d]) such that 

F{f) =9^ F*{f) = g, where f{x) = {f{x)}, g{x) = {g(a:)}. 



Proposition 4. For a computable partial operator F : C[a, b] -G C[c, d], dom(F) 
is the countable intersection of open sets. 



Definition 11. A partial functional F : C[a,b] x [c, d] — >■ IR zs computable, if 
there exists a computable operator F* : C[a, 6] -G C[c,d]) such that 

F{f,x) = y^F*{f){x) = y. 

To introduce computability of a functional F : C[a, 6] x IR — >■ M, we use an effec- 
tive sequence {If{[—n,n])}neuj of domains If{[—n,n]) with coordinated bases 
in the following sense. We consider a sequence of bases {Iffl{[—n,n])}n£uj = 
{{^?}iecj}neui with the homomorphisms reSm.n : di/([— m,TO]) — >■ If{[—n,n]) of 
restrictions for m > n defined by the natural rules reSm,n(b™) = b™| [_„,„] = b" 

and reSm,n(-L[— m,m]) I[—n,n]- 

Definition 12. A sequence of computable operators Fk : If[a,b] -G 

If[—k,k] is uniformly computable, if h'f, <C Ffc(b^) is computably enumerable 
in k, n and m. 
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Definition 13. A sequence {Fk}k^ui of computable operators Fk : C[a,b] — >■ 
C[—k, k] is uniformly computable, if there exists a uniformly computable sequence 
of computable operators F^ : Ff[a, b] — >■ If[—k, k] such that for k G to 

Fk{f) =9^ F^{f) = g, where f{x) = {f{x)}, g{x) = {g{x)}, x G [a,b]. 

Definition 14. A functional F : C[a, &] xM — >■ IR is computable, if there exists a 
uniformly computable sequence of computable operators Ff, : C[a,b] -G 

C[—k, k] such that 

F{f,x) = yGG\/k{xG [~k,k] -G F^{f){x) = y) . 

Note that for m > n the condition reSm,n(^m(/)) = F*{f) holds by construction. 

4 Generalised Computability 

and Second Order Computability 

Now we prove the theorem which connects computable operators and real- valued 
functionals with validity of finite N'-formulas. 

Theorem 2. An operator F : C[a,b] -G C[c, cf| is computable if and only if it is 
generalised computable in the language without equality. 

Proof. Let F : C[a, 6 ] — >■ C[c, d] be computable. Let us consider its corresponding 
operator F* : Xf[a, b] -G Xf[c, d]. We construct two If-formulas tpi, (p2 satisfying 
the conditions of Definition 2 . Let ^]) = {bdietj andI/_o([c, d]) = {cdietj 

be effective bases constructed as in Proposition 3 for Xf{[a,b]) and Xf{[c,d\). 
Suppose u G Xf{[a,h\). It is easy to see that the relation b„ <C u is definable 
by Lf-formulas in the language without equality with positive occurrences of 
Ui and C/2, where C/i(ri,r2,c) ^ u^\[rx,r2] > c, C/2(ri,r2,c) ^ < c. 

Therefore the set {(n, m)|M b„ A F*(b„) c^} is definable by some S- 

formula d>{n, to, C/i, C/2). 

Then F*{u) ^ Cm ^ HF(IR) |= 3n<P{n, to, Ui, C/2). 

Put 



ipi{Ui,U2,xi,X2,z) ^ dmdn > z) A ^(n, to, C/i, C/2), 

ip2{Ui,U2,xi,X2,z) ^ dmdn < z) A ^(n, to, C/i, C/2). 

Clearly, pi, p2 are required formulas. 

Let F : C[a, b] -G C[c, d] be generalised computable. It is not hard to see that 
the formulas (pi, p>2 define operator F* : T/[a, b] -G Xf[c, d]. Monotonicity of F* 
follows from positive occurrences of U\ and C/2 in the formulas Lp\ and (p2- 

Because Xj[a, b] and Xf[c, d] are w-continuous domains, it is enough to prove 
that F* preserves suprema of countable directed sets. 

Let T = {< u]^,u^ >}nsw and \/^ A =< u^,u^ >. Put Uin{x\,X2,c) ^ 
ui\[xi,x2] > c and U2n{xi,X2,c) ^ ul\[x,^,x2] < C for n G w and Ui{xi,X2,c) ^ 

l[a:i,a:2] ^ U2{x\,X2,d) ^ U |[a:i,a:2] ^ 
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Note that if is a directed set of lower semicontinuous functions and limaeA 
a(x) = g(x), then for a compact V and every c G IR the following assertion 
holds: if g(x) > c for all a; G K, then there exists a G A such that a(x) > c for 
all x GV. 

So, if u^\[x^,x. 2 ] > c then there exists n such that u\\[x^^x 2 \ > c, and if 
u'^\[xi,x 2 ] < c then there exists n such that ul;i\[xi,x 2 \ < c. 

So 

Ui{xi,X2,c) = \J Uin{xi,X2jC) and C/2 (xi , X2 , c) = \J U2n{xi,X2,c). 

By the properties of ^/-formulas and positive occurrences of U\ and U 2 in 
and (fi 2 , 

(p\{Ui,U2,Xi,X2,c) GG \J^(,^ipin{Ui,U2,Xi,X2,c), 
ip2{Ul,U2,Xi,X2,c) GG V„go; ‘f2n{Ul, U2, Xi, X2, c) . 

Hence it is clear that A) = \J^ F*{A). 

Now we show that the set {(n, m)|F*(b„) c„} is N'-definable and, as a 

consequence, is computable enumerable in n and m. Let F*{< b^,b^ >) =< 
h^,h“^ >. Since b^, b^, and are piecewise linear, it is obvious that the sets 
^i\[xi,x 2 ] > c, hl\[xi,x 2 ] < c and cl^\[xuX 2 ] > F cl^\[xi,x 2 ] < c are if-definable. 
As is evident from the definition of F* , the sets h}\[xi,x 2 ] > c, h’^\[xi,x 2 ] < c are 
A-definable too. By properties of semicontinuous functions, there exist upper 
semicontinuous step functions and such that c^(x) < s^(x) < h^(x) and 
c^(x) > s^(x) > h^(x) for X G [c,d\. 

As one can see, the following A-formula 

3xq... 3a;„3yi . . . 3y„3zi . . . 30„ {{cln\[xi,xi+i] < Vz) A 

Ipi.Ki+i] > Vi) A {Cjy^\^Xi,Xi+i] ^ A (/i Ipi.Si+i] < 

defines the set {(n,m) |F*(b„) Cm}- As a consequence this set is computable 
enumerable in n and m. □ 

Note that using the previous theorem one can elegantly prove computability 
of such functions as sup,j,g f{x), vaix£^[x^,x 2 ] f{x) and Riemann integral on 
[xi,X 2 ]- A couple of corresponding examples and counterexamples can be found 
in [27,28,39]. 

Corollary 1. A functional F : C[a,b] x [c, d] — >■ IR zs computable if and only if 
it is generalised computable in the language without equality. 

Corollary 2. A functional F : C[a, &] x IR — >■ IR zs computable if and only if it 
is generalised computable in the language without equality. 

Corollary 3. Let F : C[0, 1] x IR — >■ IR &e azz continuous functional. Then the 
functional F is computable in the sense of computable analysis if and only if F 
is generalised computable with equality. 
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5 Conclusions 

In this work we have analysed computability of operators and functionals de- 
fined on the class of continuous functions. Using the effective w-continuous do- 
mains presented here we introduced a notion of second-order computability in 
the framework of domain theory. We took into consideration semantic charac- 
terisations of computable objects. It was shown that definability theory can be 
useful for analysing computability of higher order objects over the reals. 
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Abstract. This paper is about the combinatorial properties necessary 
for the construction of realizability models with certain type-theoretic 
properties. We take as our basic construction a form of tagging in which 
elements of sets are equipped with tags, and functions must operate 
constructively on tags. To complete the construction we allow a form 
of closure under quotients by equivalence relations. In this paper we 
analyse first the condition for a natural monoidal structure to be product 
structure, and then investigate necessary conditions for the realizability 
model to be locally cartesian closed and to have a subobject classifier. 



Introduction 

Realizability is a technique for constructing models in which all operations of a 
given type are computable, according to a given notion of computation. It ex- 
tends the naive approach of enumerating elements and requiring that operations 
be computable with respect to the enumerations, in particular by allowing the 
construction of higher-order types. It produces extensional models which vali- 
date various forms of constructive reasoning, e.g. [10,17,19], and forms the basis 
for PER models of polymorphic lambda calculi e.g. [11]. All this work uses tra- 
ditional intensional models of untyped computation, such as the Kleene algebra 
of partial recursive functions. However there is recent interest in extending this, 
for example to process models [1] or to the typed setting [13,12]. 

These approaches tend to take quite a concrete approach, giving structures 
and building combinators into the definition. For example Longley’s notion of 
typed pea assumes function spaces and application, and then uses them to con- 
struct a locally cartesian closed category (the category-theorists analogue of a 
type theory with dependent products). The purpose of the present paper is to 
attempt to reverse this. One of our results is that, modulo a condition to do 
with the way pairs are represented in the realizability model, if the realizability 
model is locally cartesian closed, then the model of computation has a weak 
form of function space, though not quite Longley’s. This to some extent vali- 
dates the use of combinatorial structures which have function spaces built in, 
and is typical of the form of our results. Broadly, they say that for the realiz- 
ability model to support extensional forms of type structure, i.e. with both /3 
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and rj laws, the underlying model of computation has to interpret corresponding 
combinators, but in a weak sense. This holds both for products and for function 
spaces. There is an exception to this pattern in the result which discusses what 
happens when the realizability model has a subobject classifier: in this case the 
model of computation must have a universal object, again in a weak sense, and 
thus that from the point of view of the model a typed form of realizability gives 
no extra generality over an untyped form. 

We have chosen to use categorical technology and to couch our results in 
categorical terms. Thus, for us, a model of computation will be a category (for 
example the category with a single object, to be thought of as N, where the mor- 
phisms are partial recursive functions), and the existence of combinators will be 
given by structure on that category. There are two reasons for this choice. The 
first is that our account of the construction of a realizability model is essen- 
tially categorical. It is of course possible to give the construction in more set- 
theoretic language, and indeed this appears quite natural for the first part of the 
construction. However, set-theoretic constructions can be overly concrete. Our 
category-theoretic framework applies immediately to pointed cpo’s, where there 
are at least two possible ways of assigning a set (include bottom or not) . More- 
over, if one uses a set-theoretic presentation, the second part of the construction 
(freely adjoining quotients of equivalence relations) is poorly motivated. It would 
not be clear why that particular definition should be chosen over a number of 
possible variants. Our second reason is that the categorical formulation gives a 
fairly clear idea of what the minimal supporting structure might be. Set-theoretic 
formulations have not. 

In these senses the paper contrasts with recent work particularly by Lon- 
gley [13] and Lietz and Streicher [12], in which the basis is taken as a typed 
generalisation of a partial combinatory algebra. We, like they, will be interested 
in when the construction yields a topos, and hence gives a full interpretation of 
higher-order logic. This is also a theme of Birkedal’s work, see [2,3], and his joint 
work in [4]. 

We present realizability toposes as the product of two constructions. First one 
takes a category (which corresponds to the typed partial combinatory algebra), 
and then one glues Set to it in a variant of the comma construction. This step is 
the categorical equivalent of forming a category in which objects are sets whose 
elements are tagged by possible realizers, e.g. natural numbers. The result should 
be a category with finite products, and we study the conditions under which it is 
so, or rather we study the conditions under which a natural monoidal structure 
gives finite products. In this event, it has long been known [6,16] that in the 
examples derived from standard realizability the associated realizability topos is 
the exact completion, i.e. it is obtained essentially by freely adjoining quotients 
of equivalence relations. In the general case which we study, we do not necessarily 
get a cartesian closed category, still less a topos. We produce necessary conditions 
for local cartesian closure (dependent products, not just function spaces) and the 
existence of a subobject classifier (an object of truth values). 
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Our study of finite limits depends on the initial category being monoidal. 
This is the level of product structure exhibited by multiplicatives in linear logic. 
We show that finite products demand in addition combinators corresponding to 
diagonal and projections. These results can be read as saying that Birkedal was 
correct to use categories of partial maps as a basis for his theory, nothing signifi- 
cantly more general would have worked. In the case of function spaces, however, 
we get something slightly weaker than Birkedal’s condition. Birkedal’s condition 
is an analogue of the standard partial function space, in that every partial func- 
tion is representable. Our results suggest that this is too strong for the current 
purpose, and all that is required is that some extension of any partial function 
be representable. This is a new notion of partial function space, which, to our 
knowledge, has not previously been encountered. Finally, we present our version 
of a result given independently by Birkedal and Lietz and Streicher, that if the 
realizability category has a subobject classifier, then the original category has 
a form of universal object. Our result is slightly more general than theirs, since 
it is independent of questions of cartesian closure inherent in their frameworks, 
and we give an explicit account of how it relates to untyped realizability. 

The motivation for this work came from two directions. The first was to pro- 
vide a general categorical account of traditional work on realizability. Our results 
show limitations on the use of typed forms of standard realizability in terms of 
the models they produce. There remains, however, modified realizability. It is 
possible to read the sets of “possible realizers” in modified realizability as a form 
of type, and hence to think of modified realizability as a form of typed realiz- 
ability. Alas, our results show that this can not be if by typed realizability we 
mean either the construction given here, or, more particularly Longley’s setting. 

Our second motivation was to provide a case study giving the limitations of 
what could be achieved using these structures, but admitting the possibility of 
starting out with a very different model of computation, as in Abramsky’s work 
on process realizability [1]. Here we believe that our results and techniques could 
be useful in narrowing down the design space. 

A longer version of this paper is available from the authors. It contains a 
more substantial introduction as well as those proofs which have been excised 
for reasons of space. 

We would like to acknowledge useful discussions with Lars Birkedal, Peter 
Lietz, Thomas Streicher and particularly Federico de Marchi. 



1 The fF-Construction 

There is a simple categorical generalisation of the construction of the category of 
partitioned assemblies, given by a variant of the standard comma construction. 

We write Ptl for the category of sets and partial functions. The standard 
cartesian product of sets is no longer a categorical product, but it does provide 
a monoidal structure, which we shall use later. 

Suppose U : C «- Ptl is a functor. Let F(C,[7) be the category whose 

objects are triples (C, S,a : S ► U{C)), where a is total, and a map 
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/ : (C, S', cr) ► {C',S',a') is a (total) function / : S ► S' such that there 

exists a map <j) : C ► C in C for which 

f 

S S' 



U{C) U{C') 

commutes. 

Notation. We shall always write T{C) leaving U understood. Instead of 

{C, S,a : S ► U{C)), we shall write a typical object of T{C) as cr : S ► 

U{C), using the fact that we can recover C from the notation U{C). Finally, 
we shall write morphisms as pairs (/, (f>). This is redundant in that the equality 
between morphisms is based only on the first component, but we shall need to 
use the second in some of our constructions. 

We can think of this as a category of tagged sets, a : S ► U (C) represents 

the tagging of the elements of S by realizers taken from U{C). The functions are 
functions at the level of sets which can be traced by a function on tags. 

Example 1. As part of the construction of a standard realizability topos, C can 
be taken to be the monoid of representable partial endo-functions on the partial 
combinatory algebra in use. In this case -E(C) is the category of partitioned 
assemblies (the projective objects) in the associated realizability topos. In par- 
ticular, if we take C to be the monoid of partial recursive functions on N, then 
we will get the projective objects of the classical effective topos. 

The category E(C) always has equalizers, and we shall see that weak con- 
ditions on C ensure products in E(C). Similarly, weak conditions on C ensure 
that the exact completion iF(C)ex is locally cartesian closed. 

Like a comma category, E(C) comes equipped with a number of functors. 

Let Ct be the inverse image along [/ of the subcategory of total functions, 
then there is a full functor Y : Ct ► -^(C) defined by 

[C C'] I [(C,C/(C),id) (C',C/(C'),id)] 

or 

[C C'] I [(C U{C)) (C" ^ U{C'))] 

This becomes full and faithful when U is faithful. 

Because of the existence condition in the definition of morphisms, there is 
no forgetful functor T{C) — >■ C, however there is one T{C) — ?> Set. More sig- 
nificantly, let C be an arbitrary object of C, and x : 1 ► U(C) an arbitrary 

element of U{C), then there is a full embedding Vc,x ■ Set ► -^(C) defined 

by 

V : [S S'] I [{S ^ U{C)) {S' ^ U{C))] 
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This definition is quite robust. If there are morphisms (j) : C ► C and 

■ip : C ► C such that (px = x' and ipx' = x, then Vc,x is naturally isomorphic 

to Vc',x'- 

Because of the existence condition in the definition of maps of -^(C), it is 
clear that -^(C) is equivalent to T{U[C\) where C/[C] is the quotient of C with 
two maps identified when they have the same value under U (in other words, 
the category sitting in the middle of the (full and identity on objects) /faithful 
factorisation of [/). 

Notation. In order to make things less cluttered, from now on we shall write 
( ) for the functor U, so U{C) = C and U{6) = 6. 

2 Exact Completions 

Our construction proceeds in two stages. We begin by constructing a base cate- 
gory using the .^^-construction, and then we construct a better-behaved category 
from that using an exact completion. In other words our final category is a free 
exact category on a category obtained by means of the iF-construction. 

Our results, then, rely on the fundamental property of an exact completion 
(cf. [7]): Given an exact category A, let P be the full subcategory on the regular 
projectives of A. Then A is an exact completion of a category with finite limits 
if and only if P is closed under finite limits and each object in A is covered by 

a regular projective (i.e. for every A in A there is a regular epi P 1> A from 

a regular projective). When this is the case, A is the exact completion of P. 

The crucial point here is that the base category of projectives, P, which in 
our case is going to be P{C) must be left exact, and in the next section we 
explore conditions under which this is so. 

3 Finite Limits 

First, we observe that P{C) always has equalisers. This reduces the question 
to when P{C) has products. It is fairly easy to see when P{C) has a terminal 
object, though the condition seems both delicate and a little unnatural. However, 
characterising products seems more difficult. 

Fortunately, in the cases we know about C can be taken to be a monoidal 
category, and ( ) a monoidal functor (cf. [9]). This means that P{C) has a 

candidate for a monoidal structure. The unit is given by ^ : 1 ► I, and the 

tensor by (/ : A ► C) G (g : A ► D) = 9{f x g) : X x Y ► C ® D, 

where ip and 9 : Cx D ► C ® D are the maps given by the monoidal structure 

of ( ). These definitions give valid objects of P{C) if and only if ip and 9 are 
total. In this case, the resulting structure is indeed monoidal. The verification is 
straightforward category theory, except that at some points we have to use the 
totality of various morphisms. 

This allows us to ask a simpler question: when is this monoidal structure 
actually a product? This simplification is not without cost. We noted above 
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that T{C) is equivalent to T{C) where C is the quotient of C with two maps 
identified when they have the same value under ( ). This suggests that without 
loss of generality we can take ( ) to be faithful. This is not, unfortunately, the 
case. The problem is that the monoidal structure on C does not necessarily 
transfer to one on C. The reason is that unless 9 is iso, the monoidal tensor does 
not necessarily respect equivalence of maps. But, unless ( ) is faithful we cannot 
completely reflect properties of T{C) back into properties of C. This explains 
why in general we prove properties up to the functor ( ), leaving the cleaner 
and perhaps more interesting case where ( ) is faithful to corollaries. This is first 
evident in the characterisation of when the monoidal unit on T{C) is terminal. 

Lemma 1. ^/> : 1 ► I is terminal in iF{C) if and only if for each object C of 

C there is a map tc '■ C ► I such that tc = 



I 




Proof, liip : 1 ► / is terminal, then we obtain tc by considering the terminal 

map from id : C ► C to if (the diagram is as above). Conversely, given such a 

family of maps, ip is weakly terminal because for any / : X ► C, we have the 

following diagram (note that the upper triangle commutes because / is total). 



I 




However, maps into if are unique, when they exist, because maps into 1 are. 
This establishes that if is terminal. □ 

Now, if the unit of a monoidal category is terminal, then there are candidates 
for left and right projections from the tensor: 

= Pxifdx ®ty) '■ X®Y ► X xi^xY = Ay(txC)idy) : X®Y ► Y 

This allows us to ask the question of when the monoidal tensor is a product, 
in the precise sense that these projections together form a product cone. 

Lemma 2. In the case that if : 1 ► / is terminal in iF{C), then the can- 

didates for projections above form product cones if and only if for each object 

c of C there is a map dc ■ C ► C ® C such that dc = 9 o A-^, where 

Z\p : C ► C X C is the ordinary cartesian diagonal. 
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Proof. (Sketch) First, suppose that the tensor is cartesian product. Then the 

tensor of id : C ► C with itself is 6* : C x C ► C ® C. This must have a 

diagonal 

C ^ CxC 

id e 

c — ^ UWc 

Composing with the projections we see that D must be the diagonal A-^, and 
the square then yields dc = 0 o A-^, as required. 

For the converse, suppose we have two maps 




then we can form the pairing 




given by composing the obvious “diagonal” on Z ► C (the left-hand half of 

the diagram) with the tensor product. □ 

Note that A and 9 are natural considered as transformations between functors 

C ► Ptl, hence dc is natural in C . Thus, if ( ) is faithful, then dc itself is 

natural in C. However, although is natural in C, ! is only natural in the 
subcategory of total maps. Whence tc (and hence tc, if ( ) is faithful) is natural 
only in the category of total maps in C. 

Moreover, it is not necessarily the case that / is isomorphic to 1, or that 
A" 0 y is isomorphic to X xY . However: 
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Lemma 3. There is a map e : X 0Y ► X 0 F such that e is an idempotent 

split by 



X(^Y 



(7>'o,7ri) 



X xY 



X(^Y 



where ttq = p(id'S)t) and tti = X{t 0 id). 

Similarly tj is an endomorphism on I, such that tj is split by 



I 



1 






In summary: 

Lemma 4. If C is a symmetric monoidal category and ( ) a faithful symmetric 

monoidal functor C »- Ptl, for which the structural maps ip : 1 ► / and 

9c, D ■ C X D ► C ® D are total, then IF{C) carries a symmetric monoidal 

structure. This is a product structure, i.e. the unit is terminal, and the monoidal 
product together with projections defined from terminal maps and monoidal struc- 
ture forms product cones, if and only if for each object C of C there are maps 

tc ■ C ► / and dc ■ C ► C ® C such that tc = ipl and dc = 9 c,c^q- In 

addition, dc is natural in C (though tc is not). 

If iF{C) is left exact, then we can take its exact completion. This is our 
candidate for a topos. In the next two sections we see what we can say about C 
when this category is (locally) cartesian closed or has a subobject classifier. It 
is simpler to deal with the subobject classifier first. 

4 Subobject Classifiers and Universal Objects 

From this point we shall make the following running assumptions: C is a sym- 
metric monoidal category and ( ) a symmetric monoidal functor C ► Ptl, 

for which the structural maps ip : 1 ► I and 0c,d : C x D ► C ® D 

are total. Moreover we require the existence of families of maps tc : C ► I 

and dc ' C ► C ® C such that tc = ip°^. and dc = 9c, c ° 

last section. These assumptions ensure that X{C) is left exact, with cartesian 
structure derived from the monoidal structure of C. 

In this section we investigate the connection between the existence of a sub- 
object classifier in lF(C)ex and universal objects in C. As before, our main result 
takes its cleanest form when U is faithful, but can be deduced immediately from 
a more technical statement which holds in general. 

Definition 1. The category C has a universal object W if each object C of C 
is a retract ofW. 

Proposition 1. If the category lF(C)ex has a subobject classifier, then there 
is an object W of C, such that for each object C of C there are morphisms 
7 : C ► W and S : W ► C such that Sj is the identity on C. 
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Intuitively, modulo U, W is universal in C. If [/ is faithful, then this imme- 
diately implies that Sj = idc- 

Corollary 1. If the category lF(C)ex has a subobject classifier, and the functor 
U is faithful, then the category C has a universal object. 

This result is closely connected to one in [12,2] obtained for the subcategory 
of an exact completion as above which is the regular completion of P, see [5]. 

Our proof builds on previous analysis of subobject classifiers in exact com- 
pletions. The following is a slight variant of Menni [14] . 

Definition 2. A map u : W ► V is a (weakly) weak proof classifier if every 

map in the category appears as weakly equivalent to a (weak) pullback of u: i.e. 
for every map a : X ► A there is a diagram 

W 

r (1) 

T 

y 

where the square is a (weak) pullback, and the triangles commute. 

In an exact category A where every object is covered by a regular projective, a 
weakly weak proof classifier is what can be traced directly in the full subcategory 
P of projectives when A has a subobject classifier. If in addition P is a left exact 
subcategory (as when A is its exact completion), then any weakly weak proof 
classifier is actually a weak proof classifier in the sense of Menni (the weak 
pullback in the definition can always be taken to be a pullback). 

We will also need a further technical result, establishing a factorisation prop- 
erty which generalises a standard lemma for subobject classifiers, and is best 
seen in the abstract: 

Lemma 5. Suppose that u : W ► V is a (weakly) weak proof classifier, 

and that a : X ► A is an arbitrary map. The (weakly) weak proof classifier 

produces a diagram 

h 

X , X' W 

a' u 

f 

A — - V 

Suppose, now that b : Y ► A makes f true, in the sense that fob factors 

through u, then b factors through a. 
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Proof (Proposition 1, sketch). Taking a weak proof classifier 




( 2 ) 



we prove that W is “universal” (quotation marks indicate that this holds modulo 

O). 

To prove that C is a “retract” , classify 



C 



id7 



C 



idc 



tc 



(3) 



C 



tc 



I 



giving a map 7 : C ► W. This is total, and we use it as an object of ^(C) in 

order to establish the existence of a “retraction” . □ 



5 Function Spaces 

In this section we deal with conditions for the cartesian closure of lF(C)ex- We 
continue with the running assumption made at the start of section 4: that C 

is a symmetric monoidal category, and U : C >- Ptl a symmetric monoidal 

functor satisfying certain conditions so that iP(C) is a left exact category with 
product structure constructed from the monoidal structure on C. We shall abuse 
the structure and refer to a map / in C as total just when its image under U, 
/, is total. 

As in section 4, our work builds heavily on previous work on properties of 
exact completions. One of the major lessons of [8] is that in this context it is 
easier to deal with local cartesian closure, than simple cartesian closure. So it is 
an important fact that exact completion is a local construction. 

Lemma 6. Let P be a left exact category with exact completion A. Then for 
any object P ofP, the slice A/P is the exact completion ofP/P. 

We shall use this in combination with the following facts about cartesian 
closure of exact completions. 

Lemma 7. Let P be a left exact category with exact completion A. If A is 
cartesian closed, then for any objects P and Q ofP, there is a weak evaluation 

e : F X P ► Q from P to Q in P, i.e. any map (j> : X x P ► Q can be 

expressed as eo[f x idp) for some f : X ► F (here all of the last part of the 

statement takes place in P). 
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We shall need to deal with a monoidal structure that approximates a product. 
First some notation. 

Notation. The structure on C gives operations which we can loosely think of 
as pairing and projections, and which we shall write: 

(/, g) = {f ® g) ° dz ■■ Z » X®Y 

T^o = Px ° (idjc : X ► X tti = Ay o {tx 0 idy) : X ^Y ► Y 

We shall use (a, b), po and pi for the usual pairing and projections from a cate- 
gorical product. 

Returning to our main interest, if 




a morphism in then we can replace g by any morphism / such that / 

extends g. It follows that if we have constructed some morphism / in C, then 
we will not be able to prove that / is a particular partial function h, only that it 
is an extension of h. Moreover, we have seen that our monoidal structure is not 
a product, but the product is related by retraction. This motivates the following 
definition: 

Definition 3. Suppose C is a monoidal category equipped with a functor ( ) into 

Ptl, together with families of maps tc ■ C ► / and dc '■ C ► C ® C , as 

in our standard structure. Then we say that a morphism f : A ► B extends 

a morphism g : A ► B (g Q f : A ► B) if g C f. We now say that a map 

e F ® C ► C is a weak partial evaluation from C to C if for every map 

(j) : X ® C ► C there is a total f : X ► F, such that e o (/ (g> idc) ° e 

extends <f> o e, where e \ X ® C ► X ® C is the “g -retraction” for pairing 

e = (7ro,7ri). 

This differs from a standard definition of partial function space in that it 
does not demand that arbitrary partial functions be represented, only that some 
extension of them be, and also in that the equation unexpectedly passes through 
the “ry-retraction” for pairing. This can be viewed as saying that the equation 
does not have to hold on the whole oi X ®C, but only on those elements which 
are actually ordered pairs. 

Moreover, the definition we have given depends upon U to give notions of 
totality and extension for morphisms in C. However, instead of deriving these 
notions directly from U , we could instead use the “diagonal” and “terminal” 
maps in C to give internal definitions. This is a standard trick in p-categories. 
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and fortunately agrees with our other definition. It follows that if we regard the 
“diagonal” and “terminal” maps as part of our structure, then we can reasonably 
suppress mention of this dependence on U . 

Proposition 2. Suppose C and U : C »- Ptl satisfy our running assump- 

tions, then if the exact completion of iF{C) is locally cartesian closed, then 
for any pair of objects C and C of C, there is an object F of C and a map 

e F ® C ► C , such that for any map 4> \ X ® C ► C , there is a 

map f : X ► F such that f is total and e o (/ (g> idc) o e extends (foe: 

X 'Si C ► C , where e : X S C ► X S C is the ij-retraction for pairing 

e = (ttojTTi), as before. 



Corollary 2. If in the above the functor U is faithful, then the exact completion 
ofF{C) is locally cartesian closed if and only ifC has weak partial evaluations. 

The corollary follows immediately from the proposition, which, however, is 
technically the most demanding result in the paper. The proof depends on the use 
of cartesian closure in a slice category to define the weak partial evaluation. More 
specifically we work in a slice over a set derived from the possible subfunctions 
of the identity on C in order to get a generic function space. Details are in the 
full version of this paper. 



6 Consequences for Realizability 

In this section we draw out the consequences of our previous results in the 
case that most interests us. We shall suppose that C is a category of sets and 
functions and that ( ) is the underlying set functor. Thus ( ) is faithful. What 
we have in mind is that C is the category obtained from some form of typed 
partial applicative structure, as in Longley [13], but part of the game is to see 
how much of that structure we can reconstruct from properties of the resulting 
realizability category. 

In section 3, we examined the case when a monoidal structure induced a 
product on F{C). In lemma 4 we showed that in this case we had a diagonal 

dc : C ► C®C and collection of maps into the unit tc : C ► I, satisfying 

certain properties. We have seen that these induce projections ttq : X®Y ► X 

and Ki : X ®Y ► Y , and a form of pairing (a, 6) : 2 ► XsY. This pairing 

satisfies the beta laws: 



ttq o (a, b) = a and tti o (a, b) = b 
but not necessarily the eta law 

(tto, 7Ti) = id : X (g) y ► X SY 



The result is that we have something which is almost, but not quite, a cat- 
egory of partial maps on a category with finite products. It is interesting to 




An Abstract Look at Realizability 185 



compare with the formalisms given in [15], and to check when the equations 
listed there are satisfied. It turns out that the transformations have the correct 
naturality properties, but equations whose domains are tensors X (g>Y are valid 
only when composed with the retraction on X (g>Y . We can therefore obtain a 
category of partial maps by splitting suitable idempotents. Since idempotents 
split in Ptl, ( ) extends to the resulting category (though it is not obviously still 
faithful). Now 

Lemma 8. If in C, C is a retract of D 

r 

C - D 

i 

then an object f : X ► C of iF{C) is isomorphic to i o f : X ► D. 

Corollary 3. // ( ) : C ► Ptl and D is o category obtained from C by 

splitting idempotents, then ( ) extends to D, and i^(D) is equivalent to iF{C). 

So this process does not affect the resulting category. 

This means that if iF{C) is a left exact category (or more exactly if it is 
lex and that structure is obtained from monoidal structure on C), then C must 
already have interpretations of the combinators for pairing and unpairing satis- 
fying similar properties to the pairing and unpairing in Ptl. At this level, then 
we parallel very closely the structure used by Birkedal [3], with only the minor 
details of certain equations holding only up to tj. 

Suppose now, that .7^(0)^,^ is locally cartesian closed. Then by corollary 2, 
C has weak partial evaluations. This means that for any pair C, D of objects 
of C, there is an object which we can call [C D] together with an evaluation 

map e : [C D] ^ C ► D. This generates an “application” in Ptl: e o 0 : 

[C ^ D]x C ► D. This is more general than the structure used by Birkedal. 

We use it to construct a partial combinatory type structure in the sense of 
Longley [13]. 

The type world T is the set Cq of objects of C, the binary product operation 
C X D is tensor product C ® D, and the arrow type is given by the weak partial 
evaluations [C ^ D], The associated family of sets is {Ac\C £ Cq) = {C\C £ 
Co), and the application functions [C ^ D]x C ► D are as above. 

Longley’s structure also requires s and k combinators, along with combina- 
tors for pairing and first and second projections. These are obtained by currying 
corresponding maps in C. For example, the combinator fc G [C ^ Z? ^ C] is ob- 
tained from 7To : C®D ► C. We first curry to get a map k\ : C ► [D ^ C], 

and then again to get ^2 : I ► [C ^ D ^ C], apply ( ) to get a (total) func- 
tion I ► [C ^ D ^ C], and finally compose this with if : 1 ► I to get k. 

The construction of s is similar, this time starting with 



{C ^ D ^ E)(^{C ^ D)(^C 



id (g) id 0d 



{C ^ D ^ E)(^{C ^ D)(^C(^C 
{C ^ D ^ E)(g)C(g){C ^ D)(g)C 
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{D^E)®D 

E 



Pairing and unpairing combinators are also obtained in this way, and satisfy the 
requisite equations. This can be seen from the following lemma. 

Lemma 9. Suppose / : C ► D is curried to give F : I ► [C ^ D], then 

for all c € C, if f{c) is defined, then so is (e o 0 o (F x id^)('!/', c), and they are 
equal. 

Proof, {eo 0 o (F X id^)(V’, c) = (e o (F 0 idc) ° 0){rp, c), and the result follows 
from corollary 2. □ 

We thus have a partial combinatory type structure. This in turn generates a 
graph C' equipped with a graph morphism into Ptl: the vertices are the same 
as the objects of C, and the edges are the partial functions induced from the 
arrow types by application. It is irritating that C' is not necessarily a category, 
but it may fail to be closed under composition (we only know that the composite 
of two partial functions in the graph can be extended to a third). But we only 
need this lax structure, not a full category, to define E{C'). Since any partial 
function obtained from C is extended by a partial function obtained from C', 

there is an embedding iF(C) ► F(C'). Unfortunately, this is not necessarily 

an equivalence. The problem is that there is no reason why a partial function 
obtained from C' should extend to one obtained from C. One way of viewing 
the problem is that in a typed pea, as a consequence of the K combinator, every 
element of a type is named by a constant function. This is not the case for 
us. The K combinator corresponds to a projection. Suppose, however, that C 
is concrete in the sense that every element of C is obtained from a morphism 

I ► C . In this case every partial function in C' is already in C, and the 

realizability structure obtained categorically is identical to that obtained from 
the partial combinatory type structure. 

We now turn our attention to the case when F(C)ex has a subobject classifier. 
In that case we have that C has a universal object V , and applying lemma 8, we 
get that T{C) is equivalent to iF(M) where M is the monoid of endomorphisms 
on V. 

Corollary 4. //F(C) is a topos, then it is equivalent to the topos constructed 
using the monoid of endomorphisms of the universal object in C. 

Putting these observations together, we can see that if .F(C)ex is a topos, 
then, much as in Scott [18], U is a partial combinatory algebra, and if C is 
concrete, then the topos obtained is the conventional realizability topos from 
this algebra. 
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Abstract. We reveal a symmetric structure in the ho/n games model 
of innocent strategies, introducing rigid strategies, a concept dual to 
bracketed strategies. We prove a direct definability theorem of general 
innocent strategies with respect to a simply typed language of extended 
Bohm trees, which gives an operational meaning to rigidity in call-by- 
name. A corresponding factorization of innocent strategies into rigid ones 
with some form of conditional as an oracle is constructed. 



1 Introduction 

Game models have swept over the semantic grounds because of their accuracy 
in describing computations. They’re so precise indeed that reading them as 
a sort of infinite and glorified syntax seems reasonable to a certain extent. 
A lot is known about the variety of sequential behaviors they can express, 
which is a good thing. But our mathematical understanding of them is com- 
paratively embarassingly poor. And this is especially true of the ho/n kind of 
models [H094,Nic94], which at the same time are certainly the most successful 
[HM99,DH00,McC96,AM97,AHM98,Lai97,MH99], i.e. the ones we’d most like 
to understand. 

The whole family of related Cartesian closed categories (Ccc) known as HO- 
models, are organized around a common stable kernel Ccc of innocent strategies. 
We bring in this paper what we think is a significant clarification of this basic 
structure, by giving a clean decomposition of this kernel based upon the distinc- 
tion between Questions and Answers. These were introduced in games to sort 
out which innocent strategies are necessarily (defined by programs) using global 
control. The ones that don’ t are called bracketed. When suitably abstracted this 
property has a dual which we call being rigid (co-bracketed seemed somewhat 
too heavy). 

This splits the innocent Ccc in two sub-Cccs with a dualizing endofunctor run- 
ning in between. Subject to a technical condition about Answers, we prove that 
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case a suitable form of conditional is a universal oracle with respect to rigidity — 
a result mirroring Laird’s proof that a form of ‘taster’ known as catch is an oracle 
for bracketedness [Lai97]. This brings to the fore an interesting duality between 
these oracles, namely that they form a retract. Moving to syntax we show that 
Herbelin’s language of classical Bohm trees from [Her97] defines any compact in- 
nocent strategy (in arenas interpreting simple types over Integers). This second 
result gives an operational interpretation of rigidity in a call-by-name world. 

Future Work. Concerning the factorization result we know an abstract treat- 
ment that relies on catch and case forming a retract; there are other such (non- 
innocent) retracts in the games universe and these are very likely to also have 
something to say about the wider model of single-threaded strategies. Concern- 
ing definability we give an original internal category-theoretic treatment which 
should be somewhat strengthened using more abstract tools and extended to 
cope with full polarized linear logic. That could also bring some deeper under- 
standing on the mathematical side of affairs. 

On the logical side any kind of proof-theoretical analysis of rigid strategies would 
be welcome, e.g. a tautology they would depend on in the same way that global 
control is related to Peirce’s law. Finally, on the programming side, it’s a big 
question mark. Does rigid programming have any interest to simplify flow anal- 
ysis, or to program in time- or security-constrained environments, how does it 
merge with imperative programming, or with call- by- value, is it even a complete 
computability model. We don’t know, but we’d be surprised if a structurally 
cogent concept had no computational interest. 

2 Game Semantics 

We proceed first to the standard presentation of HO-style games. 

2.1 Arenas & Plays 

The basic “playing area” of a game is described as an arena. Formally, this is 
a triple {M^, Xa,^a) where 

— Ma is a countable set of moves. 

— Aa ■ Ma -a {0, P} X {Q,A} is an application determining for each m G 
Ma whether it’s an Opponent or a Player move and a Question or an 
Answer. We denote by and composition with 1st and 2nd projection 
respectively. 

— \~A is a binary enabling relation on Ma formalizing the temporal nature of 
arenas whereby the possibility of one move being played may be contingent 
on some other “enabling” move having already been played. 

An initial move of A is a move that has no enabler; we write I a for the set of 
such moves. To begin with, we ask two conditions on arenas: 
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(al) if m n then A°^(m) ^ A®^(n); 

(a2) if m £ Ia then A°^(m) = 0; 

i.e. the protagonists enable each other’s moves, not their own, and initial moves 
are Opponent moves. We record two further conditions on the enabling relation 
that will be ‘switched on’ later in the paper: 

(a3) if m G /a then = Q; 

(a4) if m l-A n then = Q; 

i.e. initial moves can only be Questions, and Answers can’t be pointed at. Moves 
enabling no moves will be called terminal; thus (a4) can be rephrased as ‘An- 
swers are terminal’. 

We’ll frequently use shorthand notation such as PQ for a move m such that 

Aa(to) = PQ. 

Examples of Arenas. The unique arena with no moves at all is denoted by 
1. Another useful arena is _L where M± = {q} and Ax sends this to OQ. Any 
countable set X generates the discrete arena X with Mx = X and Ax(m) = OA 
for all m G A. In particular, we denote by C, B and N respectively the discrete 
arenas generated by {a}, {tt,ff} and {0, 1,2, . . .}. Of course, none satisfy (a3). 

Plays & Legal Plays. A legal play in arena A consists of an OP-alternating 
string s equipped with a “pointer” from each non-initial move in s to some 
earlier enabling move in s. The set of all legal plays of A is written Ca- The 
set of plays of A, written Pa, is defined to be the set of all suffixes of legal 
plays of A beginning with an 0-move. In particular, Ca Q Pa, because of (a2). 
Note that a play of A may have “missing” pointers and may also begin with a 
non-initial move. 

Various Views. The view of a (non-empty) play s G Pa is defined inductively 
as follows. 

(vl) V(sm) = TO, if TO is an 0-move with no pointer; 

(v2) y{sntm) = V(s) • nm, if to is an 0-move pointing to n; 

(v3) V(sto) = V(s) • TO, if TO is a P-move; 

i.e. we follow back pointers from 0-moves, skipping all intervening moves, and 
“step over” P-moves — until we reach a pointerless 0-move. 

Note that the view of a legal play might not itself be legal because in the last 
clause, when to is a P-move, one might lose to’s pointer. If s is legal in A, then 
V(s) first move must be an initial 0-move; if A has only terminal Answers and 
a PA -move occurs in V(s), then it is its last move. 

We define now an even more stringent notion of partial information. The R-view 
or the rigid view of a (non-empty) play s G Pa is defined inductively as follows. 
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(rl) R(sm) = m, if TO is an 0-move with no pointer or an OA-move; 

(r2) R{sntm) = R(s) • nm, if to is an OQ-move pointing to n; 

(r3) R(sto) = R(s) • TO, if TO is a P-move; 

i.e. again we follow back pointers from Opponent Questions until we either we 
“run out of pointers” or we reach an Opponent Answer. Obviously the rigid view 
of a play will be a suffix of its (normal) view. 

A dual of the rigid view, called the B-view or the bracket view, is obtained 
by switching the roles of Questions and Answers, i.e. we stop on pointerless 0- 
moves or when we reach an Opponent Question (sometimes called the ‘pending 
question’). 



Product & Arrow. If A and B are arenas, we define their product A x Bhy: 

^ Maxb = AIa + Mb, the disjoint union; 

- Aaxb = [A^,Ab], the copairing; 

- TO \~AxB n iff TO \~A n or m \~b n. 

This places A and B “side by side” with no chance of any interaction between 
them. The “empty arena” 1, defined above, is the unit for this constructor. This 
construction easily generalizes to countable products and we write for the 
product of countably many copies of A. 

Our other constructor is the arrow, defined by: 

- Ma^b = Ma + Mb; 

- Xa^b = [(A°'", A^'^), As], where A°^(to) = 0 iff A^''(to) = P; 

- TO \~A^B n iff TO \~A n or m\~Bri or iTiGlBXnG I a] 

i.e. the roles of Opponent and Player are reversed in A and the (formerly) initial 
moves of A are now enabled by the (still) initial moves of B. 

Conditions (al) to (a3) are preserved by product and arrow, while (a4) is pre- 
served by the arrow iff (a3) holds of B, of course. 



More Arenas. If X is the hyperflat arena generated by X, we define the flat 
arena over X to be X J_. The effect of this is to make the Answers of X 
non-initial P-moves, all enabled by the unique initial Question. 

We will sometimes write -•A as a shorthand for A _L, and C, B and N for 
-■C, -'B and -■N. An arena of the form -•A is known as a pointed arena. By 
construction, any flat arena is pointed. Moreover, if B is pointed, i.e. of the form 
B' ^ 1. for some B', then A ^ B is pointed too, regardless of A, as can be 
easily seen since it’s isomorphic to -■(A x B'). 
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2.2 Innocent Strategies 

A strategy a for arena A is a non-empty set of even-length legal plays of A 
satisfying 

(si) if sab € a then s € a; 

(s2) if sab € a and sac € a then sab = sac; 

i.e. a is deterministic and closed under even-length prefixes. For the purposes of 
this paper, we’ll spend most, but not all, of the time in the more restricted class 
of innocent strategies, defined to be those strategies a further satisfying 

(s3) if sab € a then b points to a move in V(sa); 

(s4) if sab £ a, t £ a, ta G £a and V(sa) = V(ta) = v then tab G a where both 
bs point to the same move in v; 

Condition (s4) implies (s3), by just taking s = t; (s3) is known as P-visibility 
and is exactly saying that ct’s views are legal plays, while (s4) says that these 
views are enough to completely describe ct’s behaviour. 

No two 0-moves in a view are pointing to the same P-move and the view of 
a play is a linearization of O’s behavior so far. Constraining strategies to play 
innocently, enforces a particular way they access and handle information which 
is strongly related to linear head reduction as shown in [DHR96,Her97,Lev98]. 

The innocent strategies on arena A form an w-algebraic CPO when ordered by 
subset inclusion; the compact strategies are precisely those with a finite number 
of distinct views. 



Interactions. Let u be a finite string of moves from arenas A, B and C equipped 
with pointers. We define u f S, C to be the subsequence of u where we delete 
all moves from and pointers to A; u\ A,B is defined similarly. Next, we define 
u \ A, C by removing all moves from and pointers to B and additionally, in the 
case where a £ Ma points to & G Mb which, in turn, points to c G Me, we 
‘compose’ these pointers, i.e. make a point directly to c in m f A, C. 

In the sequel, we will refer to these as respectively the two inner projections and 
the outer projection. 

A legal interaction of A, B and C is such a u satisfying u\ A^B £ Ca^b, 
u\B,C £ £b^c and u|‘A,C G Ca^c (*-e- all three projections are legal). The 
set of all legal interactions (of A, B and C) is written int(A, B, C). (An example 
is given in Fig. 1.) 

Composition of Strategies. With this definition in place, we define the composite 
of strategies a : A^ B and t ■. B ^ C by: 



a ; T = {u\ A,C \ u £ int(A, B,C)Au\A,B£crAu\B,C£ r}. 
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This is easily seen to define a set of even-length legal plays. A bit more work 
is needed to show it does define a valid strategy for A C. In fact, one can 
define a symmetric closed category with arenas as objects, strategies on A B 
as arrows from A to i?, and the tensor and exponential structure defined from 
the arena constructors x and introduced above. Specializing to innocent 
strategies makes the product a cartesian product indeed and yields a Cartesian 
closed category. 

2.3 Rigid and Bracketed Strategies 

We now make use of our truncated views to define two more conditions on 
strategies. The second is already well-known from the original work of Hyland 
and Ong. The purpose of the paper is to introduce and analyze the first. 

(s5) if sab G cr and = Q, b points in R(sa); 

(s6) if sab G a and X^^{b) = A, b points in B(sa). 

A strategy cr for arena A is said to satisfy R-visibility , or to be rigid when 
satisfying (s5) and to satisfy B-visibility , or to be bracketed when satisfying 
(s6). Note that condition (s5) only bites on Questions and dually (s6) only on 
Answers. Their conjunction implies (s3). 

Any rigid strategy on a ‘function’ type can inspect at most one of its arguments, 
and only once, and then return immediately. Rigid strategies tend not to question 
too long once they get an answer, while bracketed ones tend not to answer too 
fast. 

Rigidity is preserved by composition only subject to a certain condition. 

Proposition 1 Let B be an arena without initial answers and a : A ^ B, 
T : B ^ C he rigid strategies, then a; r is rigid as well. 

The proof follows the general method developed for bracketedness and P- visibility 
by McCusker [McC98]. In Fig. I a shortest counterexample is given when initial 
Answers are allowed in the middle arena B. Both inner projections a 2 q 3 and 
qiq 2 ai are legal rigid plays and the outer one qiq 2 aiq 3 is legal too but not rigid 
because R(qiq 2 aiq 3 ) = aiq 3 and q 3 points past ai to qi. 

Proposition 2 Let A be an arena without initial answers and a : A ^ B, 
T : B ^ C he bracketed strategies, then cr; r is bracketed as well. 

A slight variation also gives a counterexample for bracketedness when the left- 
most arena A has an initial Answer. 

If we now restrict to arenas where initial moves can only be questions, i.e. if 
m G Ia then = Q which was condition (a3), then both our constraints 

pass the ‘composition test’ and generate sub-Cccs. 

Before looking for a syntactic materialization of rigidity, we look for strategies 
seriously violating the constraint (to be used in the factorization section). 
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Fig. 1. Losing rigidity with a middle initial Answer. 



2.4 Oracles 

Since the strategies we want to describe now are all innocent, it is enough to 
describe their views, and by prefix closure it is even enough to define their 
maximal views. Thus case is uniquely defined on arena N N as including 

views represented in Fig. 2, where i, j range over the integers and denotes the 
initial question in the zth factor of N“; and for all n > 0, case„ on N N" N 
is defined as case except it responds to i with only when i < n. All these 
strategies are innocent, bracketed but none are rigid (because of Questions qi). 




j 

Fig. 2. case and catch views. 



On the dual side of the matter, we have catch defined on the ‘converse’ arena 
(N“ N) N, and described in Fig. 2, and similarly the miniaturized versions 
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catchn on arenas (N" N) N, which are all innocent, rigid but not bracketed 
(because of the premature Answers i). 

Proposition 3 (retract) The pair catch : (N‘^ N) N and case : N 
N defines a retract, i.e. case ; catch = idw- 

The proof is an easy exercise in composition. 

The functor ‘?’ of which the object part is 7 A = ^ _L {i.e. it flips Questions 

and Answers and ‘negates’ the arena, so that ?-L = -iC, ?(J_ x J.) = ->B and 
?(T“) = -iN) maps the rigid sub-Ccc to the bracketed one and vice-versa. In 
particular condition (a3) is always preserved (but (a4) is not). 

Perhaps we have here the beginnings of a control and co-control category pair 
as axiomatised in [Sel99]. A deeper analysis of this functor should clarify — in 
a suitably abstract sense — the duality between Questions and Answers, maybe 
leading to a model of polarized linear logic [Lau99] . 

3 Definability 

3.1 Classical Bdhm Trees 

It’s time by now that we And a syntax expressive enough to define our compact 
strategies and home in on a precise picture of what it means in this language 
to be rigid. The tersest solution at hand seems to be CBT, Herbelin’s classical 
Bohm trees (documented in [Her97]). 

We assume an infinite supply of A- and /x-variables respectively ranged over by 
XjS and a^s. Terms come in two flavours, the executables written E, and the 
functionals written F, and we also single out C, a sub-species of E, for reasons 
to be clear at the end of the section (suspense !). 

C ::= 12 I [a]n 

E ::= C I case {x)F of 0 i— >■ if , • • • , n i~> if 
F ::= Xx.fia. E 

Types are usual simple types built over some base types using implication only. 
Here we’ll be content with Nat as the only base type. Typing judgments also come 
in two flavors: E ; A \- E (for executables) and F ; A \- F : A (for functionals), 
where A is any type, F is any finite set of types annotated by A-variables and 
A is any finite set of base types annotated by /r-variables. These judgments 
are derived using the rules in Fig. 3. Maybe the simplest instructive example is 
catch 2 = case {f fj.S. [a]0 ijS. [ a] 1) of 0 i— [aJO, 1 [a]l which can be typed in 
the context / : Nat ^ Nat ^ Nat; a : Nat. 

The evaluation of a functional term applied to a series of functional arguments 
is governed by the following principle: a /ra catches any integer thrown by the 
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r ; Z\, a : Nat h fi F ■, A,a : Nat h [a]n 

r,x : A ■, A,a : Nat h E 
r •, A\- Xx.^a.E : A ^ Nat 

{F ; A\- Fi : Ai)i^i...p (F ■ A\- Ej)j^o---n 
F,x : A ^ Nat ; A h case {x)F of 0 i— >■ _Bo, • • • , n E„ 
Fig. 3. CBT typing rules. 



[a]s it statically binds, this integer is then matched against the continuation 
0 e- >• iJg, • • • , n !->■ En offered by the case that /ra was substituted in (if any), 
and the matching executable is run. For instance evaluating catch2 in a context 
where / = XxXy.^p.case x of 0 i— ^ Q will end directly throwing 0 to the free 
continuation a, whereas if / = XxXy.fj,p.[f3]0, the result will be the same but 
going through the continuation part. 



3.2 Some Useful Strategies 

We need two auxiliary strategies to perform our decomposition. For all natural 
numbers n, we have a strategy a2q„ in N J_” which responds to the initial 
Question in the ith copy, i < n, of J_" with the Answer i in N. In other words, 
it performs a trivial (and partial) mapping from data to space. 

For any arena A, we also have a ‘linearizing’ strategy liriA in {~^Ai _L) 

-1^2 Ag (indices are there to distinguish occurrences of the same arena A) 
which separates out the first “thread of activity” (or “copy”) of Ai into A3, re- 
moving the two opening Questions (in _L and ~'Ai) in the process. The remaining 
threads of Ai are transposed into A2. Thus, a typical play looks as in Fig. 4, 
with the second thread pictured as dotted pointers. Note that liriA is not inno- 
cent since at each opening Question by Opponent in ~'Ai, it has the same view 
rtiiqq, and by definition responds differently the first time, thus violating (s4); 
in general, it is not bracketed either, because the second m2 can be an Answer, 
and it points past the pending q played by Opponent in its view miqqmim 2 . It 
does satisfy all the rest yet, namely P-visibility and rigidity. 



3.3 Decomposition 

In a moment we’re going to give a decomposition argument for definability of 
compact innocent strategies. That is, we explain how any such strategy can be 
obtained as the interpretation of some term. As said, the language we’re going 
to use is CBT. The argument itself follows the general form of the Hyland-Ong 
decomposition, adapted to the unbracketed case, and also internalizing the vital 
‘separation of head occurrence’ step. 
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-lAi ^ _L — ^ “1^2 ^ As 




rri4 



m4 

Fig. 4. A play of liriA- 

Our only base type Nat is interpreted by the flat arena N, and thus every simple 
type over the Integers has a natural arena associated; conversely we say an arena 
B is a simple arena if of one of the two following forms 

Ai X • • • X A„ X 6i X • • • X 6m => -L, 

Ai X • • • X X 6i X • • • X 6m 

where Ai, . . . , A„, A are arenas interpreting types, and 6i, . . . , 6m are discrete 
arenas coming from base types (integers here). 

Proposition 4 (definability) Any compact innocent strategy a on some 
simple arena is CBT definable. 

If cr’s arena is not of the first form, we uncurry (and munge around) a, arriving 
at a strategy for 

Ai X • • • X Ap X 6i X • • • X 6m ^ B, 

with B a flat arena. Since B is of the form 6m+i -L for some discrete arena 
6m+i, we can uncurry one more time, yielding a' for 



Ai X • • • X Ap X 6i X • • • X 6m+i -L, 
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an arena of the first form. We abbreviate the product of the AiS by F and the 
‘/r-context’, i.e. the product of the bjs by A (it is just a product of discrete 
natural number arenas N). 

And now, let’s look at a'’s response to the initial Question in J. (we know there 
is at most one response from (s2)) . 

— If it has no response, then a' is defined by 

Xi . T\ , . . . , X . Tp , CKi . t/i , . . . , CKm+l ■ Um+l b 

where the TjS are the types corresponding to the A^s and the UjS are the types 
corresponding to the ~'bjS. 

— If it responds with some Answer a in bj, then a' is defined by 

Xi . T\ , . . . , X . Tp^ oi . C/i , . . . , b [^i] ^ 

where a is the language constant corresponding to the move a. 

— If it responds with a Question in Aj = fe. Bi, then writing 

bl- = bl., 1 X • • • X Ai^ki X bi, we know Ai is isomorphic to A^ _L, and we may 

decompose the strategy into its “arguments” to Ai and its “continuations” from 
Ai by a composition with the appropriate namely: 

/^i) X A — >■ Ai Aj 

and thus, uncurrying Ai back: 

(c^) ; ■ F X A ^ A^ 

Note that the resulting strategy is still rigid if a' was in the first place (by 
proposition 1, since the middle arena here -'Ai, being pointed, has no initial 
Answers). It can also be shown that it is innocent. 

— each “argument” strategy j : F x A ^ Aij has a strictly smaller set 
of views than a' and can therefore be defined by some functionals Fj by 
inductive hypothesis; 

— since a' is compact, the “continuation” strategy ac ■ F x A=^bi with 6^ = N 
has no response to initial moves m > n for some n. Hence we extract n + 1 
continuations by forming the composite dc ; a2q„_|_;^ : F x A ^ j_n+i ^nd, 
again by the inductive hypothesis, these n + 1 continuations are definable by 
some executables Ei for 0 < i < n. 

The strategy a' can now be seen as the semantics of the executable E: 

t case {xi)Fi ■ ■ ■ Tfc. of 0 i— A q, • • • , n i— A„. 

and we finally get a functional defining u by A-abstracting the appropriate x^s 
and /x-abstracting Om+i, be. Ax„+i • • • Xxp.fj,am+i- E. 
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3.4 The Rigid Case 

The constraint of being rigid has dramatic effect on the shape of the functional 
extracted from the above argument. If we examine the views of a' that contribute 
to the continuation strategy ac, we find that they all begin as in: 

• • • X Ai X • • • X bj X ■■ ■ — ^ J_ 




But at this point, the rigid view is just the last move, namely the Answer a. 
Since, in a simple type, all Answers are terminal, this means that we cannot play 
a Question: if we did, it would have to point at the Answer a which is impossible. 
So, if we play anything at all, we’re forced to play an Answer — which is only 
possible in one of the bjS. 

In more operational terms, the continuations, i.e. the E^s, have to be of the form 
[a] a or fl. In other words, we can’t “nest” case statements. We can easily give a 
precise grammar of “rigid” Bohm trees, say RBT, matching exactly this syntactic 
constraint: 



c 


:=n 1 


[a]n 




E 


:= C 


case {x)F of 0 i— >■ C, • • 


• ,n^ C 


F 


:= Xx.yia. E 





Note that the use of case in this language is restricted to the definition of unary 
functions: no local control flow is possible. We could equally define a version of 
the language with no case whatsoever — but we would still need the facility to 
define unary functions (and case seems as good a syntax for that as any). 

Proposition 5 (rigid definability) Any compact innocent rigid strategy cr 
on some simple arena is RBT definable. 

Indeed catch2 is in CBT and gives one possible definition of catch2. On the other 
hand applying the definability machinery to a strategy interpreting a left-and 
for instance (upcasting Booleans to Integers) yields: 

XxXy.fia. 

case (x) of { 0 I— >■ [a]0, 

1 i-> case (y) of { 0 i— [aJO, 

1 [a]!}} 

which as expected is not in rbt (because upon receiving 1 for x the term launches 
a new computation instead of returning immediately). 
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Bracketedness also has some considerable effect: compact innocent bracketed 
strategies always throw to the /i just above. Therefore one can dispose in the 
language of fias and [a]s altogether, and this brings back the Hyland-Ong lan- 
guage of ‘finite canonical forms’ [H094]. 

It is possible to combine both constraints: being rigid and being bracketed. It 
is easy to see that the corresponding language is simply typed A-calculus with 
unary finite partial functions on Integers. This forms the core of the ‘canonical 
forms’ echoing our semantic decomposition. 



4 Factorization 

We can rework the decomposition, but from within the model, in a more intrinsic 
way. We’re only giving an informal argument that one can ‘extrude’ case out of 
an innocent strategy and obtain something rigid, much in the same way as Laird 
proved in [Lai97] that one can extrude catch out of an innocent strategy and 
obtain something bracketed. To do this, and for reasons explained in the proof 
sketch below, we have to restrict to arenas where Answers are terminal, i.e. 
condition (a4). 

Typical arenas where this is not the case are sums or lifted arenas as used in 
modeling sums and call- by- value. So this is a strong assumption. 

Let CT be a strategy on arena A violating rigidity. This means in some views of 
a, there are Player Questions, PQ, pointing past Opponent Answers, OA, as in: 




v= ■■■ OQ ••• PQ OA ••• PQ ••• 

We’d like to ‘mend’ this by hiding OA from the view of any further P-move. If 
OAs are not terminal, this is hopeless, since removing them from the view would 
cause visibility violations in case P would target them. So we suppose they are. 
Having said this, we need a suitable simple side arena, say S so as to play in the 
extended arena S ^ A, and a helper strategy on S. Now we have room for the 
following manoeuvre: each time a is about to move in A, we first play an opening 
move Pi in S' and wait for Opponent to respond with Qi; only then we play as 
(T would; now, if Opponent responds with a question we simply rearm the trap 
and prepare the next a-move in A; if Opponent responds with an answer OA, 
which is the case that matters, we play P®"^ pointing back to Oi in S, encoding 
the answer, and hope for Opponent to play 0^^ and hide OA in response. As in: 

v'= ■■■ pf^^o/^^pi^A^ 

Thus the obstacle OA is excised from the view and yet enough information 
is retained, through the encoding 0°'^, so that the modified strategy is still 
innocent. 




The Anatomy of Innocence 201 



Once this pattern of four side moves Pi, Oi, P2 and O2 is fixed, one has no choice 
left regarding their Q/A status. First P®'*^ has to be an Answer, otherwise it 
reintroduces a rigidity violation; just for the same reason must be a question; 
and the moves they point to must themselves be Questions, since Answers are 
assumed terminal. Finally there must be Questions enough in S to encode OA 
moves. Actually case turns out to be a convenient embodiment of this pattern 
and we may choose S' = N N. 

Proposition 6 (rigid factorization) Let cr be an innocent strategy on an 
arena A with only terminal answers, then there exists a rigid innocent strategy 
RIG(ct) : (N N) a such that cr = case ; rig(ct). 

One interesting question here would be to understand if ‘rigidification’ has any 
functorial property. Another issue is whether this can be combined with ‘brack- 
etifiction’ and yes it can be done when rigidification is applied first. 
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Abstract. Extensionality means, very roughly, that the semantics of a 
logic program can be explained in terms of the set-theoretic extensions 
of the relations involved. This allows one to reason about the program by 
ordinary extensional logic. First-order logic programming is extensional. 
Due to syntactic equality tests in the unihcation procedure, higher-order 
logic programming is generally not extensional. Extensionality is a highly 
undecidable property. We give a decidable extensionality criterion for 
simply typed logic programs, improving both on Wadge’s definitional 
programs from [9] and on our good programs from [2]. 



1 The Problem of Extensionality 

in Higher-Order Logic Programming 

Consider the following Prolog program defining the usual ordering of the natural 
numbers as the transitive closure of the successor relation. 

succ(X,s(X)) . 7o assume also constant 0 

less(X,Y):- succ(X,Y). 
less(X,Z):- succ(X,Y) ,less(Y,Z) . 

It is better to acknowledge that transitive closure is a generic operation: 

tc(R,X,Y):- R(X,Y). 7. R: D->D->A 

tc(R,X,Z):- R(X,Y) ,tc(R,Y,Z) . 7« tc = transitive closure 

and to define less as tc(succ). We are then in the realm of higher-order logic 
programming, by the type of the variable R.^ The semantics of tc is still perfectly 
extensional: tc relates extensions of binary predicates to their transitive closures. 
So far so good, but now consider: 

p(a) . 7o p: D->A 

q(a) . 7. q: D->A 

p_named(p) . 7« p_nEmied: (D->A)->A 

^ In the examples we stretch the Prolog syntax a bit, in the underlying theory ev- 
erything is fully curried. Moreover we shall identify subsets with their characteristic 
function. 
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Here p and q have the same extension {a}, and an extensional interpretation of 
p_named should contain that extension. As a consequence, p_named(q) would 
also be true, for which the program provides no justification. In general, com- 
paring infinite extensions is computationally hopeless (>RE), but even in the 
finite case the extensional approach is not semantically tenable either. In order 
to see this, add the following clause to the above program: 

p(b):- p_named(q) . 

Denoting interpretations by [ ] , we have for the extended program: 

NON-extensional model: [p]=[q]={a}, [p_named] ={p} 

NOT a model: [p]=[q]={a}, [p_named] ={{a}} 

minimal model 1: [p]={a,b}, [q]={a}, [p_named] ={{a,b}} 

minimal model 2: [p]={a}, [q]={a,b}, [p_nEmied] ={{a}} 

Note that in both minimal models the constant b makes the extensions of p and 
q distinct, but lacks a proper explanation. Even worse, the two minimal models 
disagree on the extension of p_named. 

The relevance of extensionality for software engineering has been explained 
in [9] and [2]. For example, the way in which Pascal handles procedures and 
functions as parameters is extensional. In short, extensional programs are easier 
to understand and to maintain, since plugging in a new component with a dif- 
ferent name but with the same semantics does not change the overall semantics 
of the program. This paper gives a rigorous definition of the extensionality of a 
simply-typed logic program and provides a decidable criterion which captures a 
large class of extensional programs. 

2 Terms and Types 

In order to get a clear picture of the notion of extensionality itself, we keep the 
terms and the types as simple as possible. For this reason we do not yet consider 
lambda abstraction, higher-order unification, polymorphism, subtyping and so 
on, although we are well aware of their importance. We take terms to be built 
up from constants and variables by application. We adopt a fully curried version 
of the syntax, so that we can do with the type constructor — >■ only, associating 
to the right, such as in D^D^A. 

For compliance with the usual syntax we practise a liberal way of currying. 
For example, the following denotations are all identified: 

pxa = {px)a = p{x, a) = p{x)a = p{x){a) 

This means that brackets and argument lists can be used freely, but serve only 
as alternative denotations of curried terms. 

The (untyped) terms of logic programming are given by the following abstract 
syntax: 



r ::=C I V I (TT) 
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Here C and V are sets of (typed) constants and variables, respectively, and TT 
are terms obtained by application. In principle C and V contain all correct Prolog 
constants and variables, respectively, but in most examples we will tacitly assume 
that C contains only those constants that are explicitly mentioned in the example. 
We use x,y,z to denote variables, a,b,c,p,q as constants, and r,s,t to denote 
arbitrary terms. Application is taken to be left associative, so p(xa) is notably 
different from the denotations above. The head symbol of a term is its leftmost 
symbol, either a variable or a constant. 

A clause is an expression of the form to ^ ti, . . . ,tn, where all U are terms 
(0 < i < n). A program is a finite set of clauses. We use C for clauses and P for 
programs. In the examples we use Prolog notation for clauses and programs. 

In order to single out the well- typed higher-order logic programs we use types. 
The fragment consisting of first-order terms can be typed with types given by 
the following abstract syntax: 



V ■.■= D\ {D-^V) 

Here D is the base type of individuals and (D-^D), (Z?— >■(!?— >■£>)), . . . are the 
types of unary functions, binary functions, and so on. We let — >■ associate to the 
right and drop outermost brackets. 

The types for the higher-order objects are given by the following abstract 
syntax, allowing predicates to depend on predicates and on individuals: 

A ::= A \ (A^A) I (D^A) 

Here A is the base type of atoms. The types D^A, D-^D^A, . . . are the 
types of unary predicates, of binary predicates, and so on. The types A-^A, 
(D— >-A)— >-A, . . . are the types of predicates on atoms, on unary predicates, 
and so on. More complicated types can easily be constructed, for example, 
((A— >-A)— >-A)— >-A)— >-A. Note that all types in A end in A and not in 
D, so that individuals do not depend on predicates. 

The set of types for higher-order logic programming is the union of T> and A. 
The former will only play a minor role in this paper, and we will focus attention 
on the latter. We use r, r' to denote arbitrary types. By induction one proves 
that every type r G A is of the form 



r = Ti-)> >Tk^A 



for some fc > 0, with Ti either D or in A, for every 1 < i < k. The types Tj are 
called the argument types of r. 

Due to the absence of bound variables within terms, the typing system for 
terms is very simple and consists of one single typing rule: 

(^-elim) 

ts : T 

We will now formally define when a higher-order logic program is typable. 
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Definition 1. A declaration is an expression either of the form x : r with x a 
variable, or of the form c : r with c a constant, stating that x (respectively c) has 
type T. The variable (constant) on the left hand side is called the declarandum 
of the declaration. 

A context is a finite list of declarations with different declaranda. Contexts 
are denoted by T. 

The typing relation T \~ t : t is defined inductively as the smallest relation 
which holds whenever t : t is a declaration in T and which is closed under the 
typing rule {-^-elirri) above. 

A term t is typable by T if there exists r such that T \- t : t. 

A clause to ^ ti, . . . ,tn is typable by T if T \- ti : A for all 0 < i < n. In 
that case we write T \- to t\, . . . ,tn '. A. 

A program P consisting of clauses Ci, . . . ,Cn is typable by T if T \- Ci : A 
for all 1 < i < n. In that case we write T \- P \ A. 

We call a term (clause, program) typable if it is typable by P for suitable P. 
If we speak of a clause (term) in relation to a typable program, then we implicitly 
assume the clause (term) to be typable by the same context. □ 

Intuitively, P \- P ■. A means that the declarations in P ensure that each 
atom in P is of the base type A. Note that one and the same variable may 
occur in different clauses of P, but always with the same type as declared in 
P. In cases in which different types are required, the program clauses should be 
standardized apart. 

An alternative characterization of the typing relation is the following: P \- t : 
T holds if and only if there exists a (— >-elim) derivation tree with root t : r and 
leaves in P. 

Due to the absence of abstraction, the typing system is in fact a subsystem 
of that for simply typed combinatory logic. We rely on the well-established tech- 
niques on principal type schemes for type checking and type synthesis. For the 
purpose of this paper it is not necessary to enter this important subject, instead 
we refer to the original source [4] and to the ML literature. 

To give the reader at least some idea, the principal type scheme of the term 
xy is X : r— >- t ', y : r, with r, r' arbitrary types. The principal type scheme 
of the atom xy is x : r— >-A, y : r, and of the clause xy y it is the context 
X : A^A, y : A. 

3 Operational Semantics 

The operational semantics is in fact an extension of the usual SLD-resolution 
procedure for first-order logic programming [1]. We treat only some key points 
needed for a proper understanding of the sequel, namely unification, well-typed 
substitution and the immediate consequence operator. The latter will play a role 
in inductive proofs. 

Consider an arbitrary first-order unification algorithm, e.g. by Martelli and 
Montanari, see [1]. We will sketch how to extend it to the terms here. Unifi- 
cation of two terms can only succeed if they have the same type. In unifying 
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them, we first write the terms in the form toti . . . tfc and sosi ■ ■ ■ si, where to 
and So are the respective head symbols. Second we make the hidden appli- 
cation functions explicit for k,l > 1. That is, we write the terms in the form 
a{a{. . . a{to,ti ), . . .), tfc) and a{a{. . . a(so, si), . . .), s;), where a is a new binary 
function symbol. Next we apply the first-order unification algorithm to the terms 
written with explicit application functions. In recursive calls of the unification 
procedure hidden applications must again first be made explicit. In the end we 
return to implicit applications by discarding the a symbols properly from the 
resulting substitution. 

Type persistence under well-typed substitution (and hence under resolution) 
is ensured by the following lemma. 

Lemma 1. If F, x : t \~ t : t' and F, F' \- s : t , then F, F' h t[x/s] : r'. 

Proof: By induction on the derivation oi F, x : t \~ t : t' . □ 

We recall the familiar notions of Herbrand Base, Herbrand Universe, im- 
mediate consequence operator and its least fixed point. These notions are now 
slightly more general as the terms involved stem from the higher-order syntax. 
By convention all terms are assumed to be typable in the context of the program. 

Definition 2. Let P he a typahle higher-order logic program. We define the 
Herbrand Base Bp (resp. the Herbrand Universe Up) to he the set of all closed 
terms of type A (resp. D). For every S C Bp we define Tp{S) C Bp hyt€ Tp{S) 
iff there exists a closed instance of a program clause in P with head t and all body 
atoms in S. The operator Tp is called the immediate consequence operator of 
P. As usual, TpfO = 0, Tpt(^+1) = TpifPpfn) and Mp = Tpfuj = 
is the least fixed point ofTp. □ 

4 Declarative Semantics 

In this section we propose a notion of model for higher-order logic programs. The 
idea is to separate the applicative behaviour of higher-order objects from the 
logical behaviour. Although this semantical framework may seem overly general 
at first sight, there are strong reasons in favour of this generality: 

- The framework covers all relevant approaches to higher-order logic. 

- The extensional collapse, to be introduced in the next section, can be carried 
out within the model class. 

- The larger the model class is, the more applications there are. 

Definition 3. A type structure consists of sets Dr for every type r and appli- 
cation mappings 

apr,r' '■ Dr^r'^^Dr Dp 

for all types r, r'. We denote application hy juxtaposition and associate to the 
left. A type structure is functionally extensional if Dr^p F Dr — >■ Dr> and apr,r' 




208 



Marc Bezem 



is set-theoretic function application, for all t,t' . It is logically extensional if it 
is functionally extensional and moreover 0 ^ Da C {T, F}. (The cases in which 
Da consists of just one truth value are borderline cases in which everything is 
true or everything is false.) 

A type structure is extended to an interpretation for higher-order logic pro- 
grams in the following way. First we add an interpretation function I which 
assigns an element of Dt to every constant of type r. What follows now is a 
standard development of the interpretation of terms, hut with application accord- 
ing to the given type structure. An assignment is a function mapping variables 
to domain elements of the corresponding types. Given an assignment a, the in- 
terpretation function I can be extended to an interpretation |t]c for all terms t 
in the following way: 

- [c]a = I{c) for every constant c, 

- |x]q, = a{x) for every variable x, and 

- = |t]a|V]„. 

Thus interpretation is homomorphic with respect to syntactic and semantic ap- 
plication. 

Next we add a valuation function V assigning a truth value to every element 
of Da (in the case of logical extensionality we take V (T) = T and/or V (F) = Fj. 
A term t of type A (that is, an atom) is true (^falsej under an assignment a if 
= T (F). The valuation V is extended to formulas according to the usual 
meaning of the logical connectives and quantifiers. 

A type structure with interpretation/valuation functions I and V is called a 
model of higher-order logic program P if it makes true every clause of P under 
any assignment a. A model is called extensional if it is logically extensional. □ 

The general models of Henkin [3] are logically extensional models as above. 
The standard model [3] satisfies moreover Dt^t' = Dr — >■ Dr' . The model class 
of Nadathur and Miller [6], who allow D^ to be a set of labeled truth values, is 
covered by the functionally extensional type structures. We continue by showing 
that the closed term model of a well-typed program P is functionally extensional 
up to isomorphy, and initial in the model class. 

Definition 4. Let P he a typahle higher-order logic program. By convention we 
assume that the language of P is such that we do have closed terms of base 
types D and A. In addition we assume that if some term t of type t occurs 
in P, then there exist closed terms of type r and of all argument types of r. 
(If necessary, assume some default constants in the signature.) We use |r|p to 
denote the set of closed terms of type t. Let Aip he the type structure defined by 
sets |r|p and syntactic application mappings, with the interpretation Ip{c) = c 
for any constant c. The valuation function Vp on \A\p is defined by Vp{f) = T 
iftG Mp, and Vp{f) = F otherwise. □ 

The following lemma is obvious, initiality is proved for t G Tpfn by induction 



on n. 
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Lemma 2. Let P he a typahle higher-order logic program. Then we have: 

1. Every closed term t : r— >- t' defines through application a unique mapping 
\t\p^ \t'\p- 

2. The type structure M.p is functionally extensional up to isomorphy. 

3. Mp is a model of P which is initial in the following sense: for every closed 
term t of type A, if t is true in Aip, then t is true in every model of P. 

The operational semantics from the previous section can be related to the declar- 
ative semantics by generalizing the usual soundness and completeness results for 
SLD-resolution [1]. Space limitations prevent us from giving more details here. 



5 The Extensional Collapse 

In this section we define a notion of extensionality for higher-order logic programs 
and show that for extensional programs the semantics can be considerably sim- 
plified. This so-called extensional collapse originates from the model theory of 
finite type arithmetic and is described and attributed to Zucker in [8]. 

Definition 5. Let P he a typahle higher-order logic program. We define relations 
«P on \t\p, expressing extensional equality of type r. 

T): We put «p to he =, syntactic equality on \t\p, for every t € V. 

A: By induction on t £ A. For the base type A we put t «p s if and only if 
Vp{t) = Vp{s), that is, either t,s £ Mp, or t,s ^ Mp. 

For the induction steps with t' = D or t' £ A we define t s if 

and only if tt' «p ss' for all t' , s' such that t' «p s' . 

We will often omit type superscripts and the subscript P. A closed term t is called 
extensional if t ps t. We call P extensional if all closed terms over the signature 
of P are extensional. Ln that case the relations « will be called extensional 
equalities. □ 

We give some examples and counterexamples of extensional programs. Proofs 
are postponed till after Corollary 1. 

Example 1. The following clauses form an extensional program: 

R(a,b) . 7o (a,b) in every binary relation D->D->A 

call(X) X. 
or(X,Y) X. 
or(X,Y) Y. 

tc_T(R,X, Y) : - R(X,Y) . 7, tc_T = trcuisitive closure with 

tc_T(R,X,Z) R(X,Y) ,tc_T(R,Y,Z) . 7. R: T->T->A 

sort (R,L1 ,L2) : - ... 7« sorting parameterized by R: D->D->A 

Counterexamples, i.e., examples of non-extensionality, are: 
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eq(Y,Y) . 7. Y: A 

apply(F,Z,F(Z)) . 7. F: (D->D->A) ->D->D->A 

For example, we have p or(p,p) , but not eq(p,p) eq(p,or(p,p)), and 
hence not eq eq. The non-extensionality of the second clause arises 

when, for example, one considers a transitive relation r, so that r has the same 
extension as tc(r), and apply(tc,r,tc(r)) holds, whereas apply(tc,r,r) 
does not hold. □ 

Lemma 3. Let P he a typahle higher-order logic program. Then «p is a partial 
equivalence relation for every type t. More precisely, for every type t, the relation 
«p is symmetric and transitive (and hence reflexive where defined: t «p s 
t «p t for all closed terms t,s : t). If the relations « are everywhere reflexive, 
then the usual form of extensionality holds: if tr « sr for all r, then t « s. 

Proof: Symmetry and transitivity are proved simultaneously by induction on r. 
If reflexivity also holds, then tr « sr and r k, r' imply tr ~ sr' . □ 

Definition 6. Let P he a typahle, extensional, higher-order logic program, with 
JUp as in Definition 4 and «p as in Definition 5. The extensional equalities 
Ki'^p are hy definition congruences with respect to application. Let [t]p denote 
the equivalence class of t with respect to «p, for any closed term t : r. We 
define M.p/k, as the type structure defined hy sets |r|p/«p and application 
mappings satisfying [t]p[t']p = [tt']p for all closed terms of appropriate types. 
The interpretation and valuation function are also collapsed into I/pc{c) = [c]p 
and h^/~([t]p) = Vp{t). Note that V/k. is well-defined. The quotient structure 
M.pjpi is called the extensional collapse of M.p. 

Theorem 1. Let P he a typahle, extensional, higher-order logic program. Then 
we have the following: 

1. Every closed term t : r— >-r' defines through application a mapping from 
|r|p/«p to |r'|p/R:!p, and two such terms are extensionally equal if and 
only if they define the same mapping. 

2. The quotient structure Aipj^e is logically extensional up to isomorphy. 

3. The quotient structure M.pjK. is a model of P that is elementarily equivalent 
to Aip with respect to the clausal language of P. 

Proof: Let conditions be as above, in particular P is extensional. Obviously, 
t : T— >-r' can be viewed to map any [t']p to [tt']p. Moreover, extensionally equal 
terms define the same mapping. Conversely, if t and s define the same mapping, 
then [tt']p = [ss']p whenever [t']p = [s']p, so t « s. This proves 1 and implies 
that the quotient structure is functionally extensional up to isomorphy. It is 
logically extensional since \A\p/fHp consists of at most two classes, namely Mp 
and Bp — Mp, the true and the false closed atoms. This proves 2. The elementary 
equivalence of the quotient structure with the original structure follows easily, 
since both structures make true the same closed atoms. This proves 3. □ 
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6 The Extensionality Criterion 

In this section we develop a decidable, syntactic criterion which is sufficient 
for extensionality. The criterion is not necessary, and cannot be so given the 
undecidability of extensionality in general. 

Conceptually the criterion is very simple and satisfying. Note that the uni- 
fication process may operate on arguments in an intensional way, for example, 
by comparing arguments syntactically. The idea is that a program is extensional 
provided higher-order arguments (hoa) are only passed (p), applied (a) and/or 
thrown away (ta). For this it suffices that all higher-order arguments in the 
head of any program clause are distinct variables, so that the unification for the 
higher-order arguments reduces to matching. 

It may come as a surprise that the elaboration of this very simple idea requires 
all the technicalities that are to follow, as well as those that are omitted for 
reasons of space. We do not see how the proofs below can be simplified, but 
some readers may be challenged. 

Definition 7. Let P he a typahle higher-order logic program. We call P a hoa- 
pata program if the higher order arguments in the head of any program are all 
distinct variables. 

Observe that, in the definition of a hoapata program, arguments of type D do 
not play a role. As a consequence, arguments of type D may be used without any 
restriction in hoapata programs, but we will ignore them in the considerations 
below. Thus the head of a clause of a hoapata program has one of the following 
two forms: ax or x x, where all variables Xi in x are distinct (for typing reasons 
we also have x ^ Xi). For atoms in the body of a clause of a hoapata program we 
distinguish the following four typical forms: bc{x,x,y), x d{x,x,y), Xi e{x,x,y), 
or yjf{x, X, y). Here y are the local variables, i.e. variables that occur in the body 
but not in the head of the program clause. Furthermore, a, b are constants and 
c{x, x,y),d{x, X, y), e{x, x,y), f{x, x, y) are sequences of terms containing zero or 
more occurrences of the variables x,x,y. By convention everything is assumed 
to be well-typed. 

The four forms above represent the cases in which the head symbol of the 
body atom is a constant, the head variable x, one of the arguments Xi and one 
of the local variables yj, respectively. In the first and the fourth case all higher- 
order variables from the head of the program clause are passed and/or thrown 
away. In the second and the third case they are also applied. 

Examples of hoapata programs are: all definitional programs from [9], all 
good programs from [2], all programs claimed to be extensional in Example 1. 
Also the following fixed point clauses for different types T, which can capture all 
recursions, form a hoapata program. 

fp_T(X,Yl, . . .Yk) :- X(fp_T(X) ,Y1 , . . . Yk) . 7. fp_T = fixed point 

7. X: T->T, T = Tl->. . .->Tk->A, Yi : Ti for i=l,...,k 

The following lemma states an essential property of hoapata programs, namely 
that all higher-order arguments that do play a role in a derivation are eventually 
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applied. Here the higher-order arguments are closed instantiations of the vari- 
ables z, and they are applied in closed instantiations of atoms of the form Zi e. 
Playing a role in the derivation is expressed in terms of the layered structure of 
Mp induced by Tp. 

Lemma 4. Let P he a hoapata program and z he a sequence of distinct higher- 
order variables. Let t : A he an atom headed hy a constant and with free variables 
among z, and <j a closed substitution with domain z such that P € Tpf(n-hl). 
Then there is a conjunction G of atoms, all starting with a head variable from 
z and with free variables among z, such that Mp is closed under t ^ G and 
C Tpfn. The former means that for any closed instance t' -<r- G' we have 
t' G Mp whenever G' C Mp and the latter means that all atoms in G'^ are in a 
lower stratum than P . Ln particular the conjunction G is empty if n = 0. 

Proof: Let P be a hoapata program. We proceed by induction on n, ignoring 
arguments of type D. For the base case n = 0, let t = at with a as above. Now 
aP G Tpfl implies that there is a clause ax or xx in P, with all variables 
in X distinct, such that aP is an instantiation. But then also at and all its 
instantiations are in Mp and we can take G empty. (Note that the program 
clause could also take the form y y with the type of y smaller than the type of 
a; in that case y is instantiated by, say, at\t 2 , but again we can take G empty.) 

For the induction step, assume the lemma holds for n and let again t = at 
with cr as above such that at^ G Tpf{n-\-2). Recall that we have the following 
two typical forms of hoapata program clauses: 

ax G- hc{x,y),...,xie{x,y),...,yjf{x,ff) 

XX G- hc{x,x,y),. . . ,xd{x,x,y),. . . ,Xie{x,x,y),. . . ,yjf{x,x,y) 

We will start with first form which is somewhat simpler. Assume there is a 
program clause of the first form with closed instance 

a ^ bc{t^ . ,tf e(f'^ , s), . . . , Sj f{i^ , ^ 

all whose body atoms are in Tpt(n-l-l). Since all higher-order variables in the 
head ax are distinct, we also have the following instance of the same program 
clause: 

at^bc{t,^,...,tie(f,s},..., Sjf{t, s) 

Observe that s is closed. We apply the induction hypothesis to all the body 
atoms gi,...,gm of the clause above that do not (yet) have the desired form 
Zicft,^. For each such body atom g^ there exists a conjunction Gk such that 
Mp is closed under gk G- Gk and G% C Tpfn and all atoms in Gk have the 
desired form {1 < k < m). Now take G to be the conjunction of all Gk together 
with all body atoms that do have already the desired form Zi e(t, s). One verifies 
easily that G has also the other desired properties: Mp is closed under at ^ G 
as Mp is closed under the program clause involved in the induction step, and 
C Tpf{n+l). 
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The proof for the second form can now be presented as a refinement of the 
argument for the first form. Assume there is a program clause of the second form 
with closed instance and instance respectively: 

at^ ^ 5c(a, , a (i(a, s), . . . , t^e(a, s), . . . , Sj/(a, s) 

at ^ bc{a,t, . ,ad{a,t, s), . . . ,U e{a,t, , Sjf{a,t, ^ 

All body atoms of the closed instance are in Tp\{n+1). Here we have assumed 
that the head variable x has the same type as a. It is not difficult to see that the 
same inductive argument as in the treatment of the first form can be applied. It 
remains to consider a slightly more difficult subcase of the second form, in which 
the head variable of the program clause has a type smaller than that of a. Let 
t = uv and assume that the head variable matches au. Thus we assume there 
is a program clause of the first form with closed instance and instance as above, 
with a u instead of a and v instead of t. In this case U may belong to either u 
or V. Although this looks more complicated, again the same inductive argument 
applies. 

It takes some reflection to see that we have justifiably ignored arguments of 
type D in the above proof. □ 

Observe that the head constant plays an essential role in the above lemma. If, 
for example, the atom t is of the form Zi s, then instantiations of Zi can be 
decomposed by applying program clauses, and nothing can be concluded. 

Theorem 2. If P is a hoapata program, then t pz t for every closed t : r. 

Proof: Let P be a hoapata program. We proceed by double induction, first on 
T and then on Tpfn using the previous lemma. For the base types A and D 
the lemma holds by definition. For types t G T> the lemma is trivial. For the 
induction step, let r € A and assume the lemma has been proved for all types 
smaller than r. 

Let z be a sequence of distinct higher-order variables of types smaller than t. 
Again we ignore arguments of type D. Let P{n) be the following property: for all 
terms t : A headed by a constant and with free variables among z, for all closed 
substitutions a, a' such that z'^ « z"^ holds componentwise, if P G Tpfn, then 
P G Mp. By induction we prove P{n) for all n. It follows that every closed t : r 
is extensional, by considering t z : A. 

The base case n = 0 holds vacuously, since TpfO = 0. For the induction 
step, assume P{n) as secondary induction hypothesis, the primary induction 
hypothesis being that all closed terms of type smaller than r are extensional. 
We have to prove P{n+1), so assume t and a, a' as above, with P G Tpt(^+1)- 
By Lemma 4 there is a (possibly empty) conjunction G of atoms, all starting with 
a head variable from z, such that Mp is closed under t ^ G and G"^ C Tpfn. We 
want to infer P G Mp, which by the above property of G reduces to G"^ G Mp. 
If G is empty, for example if n = 0, then we are done. Otherwise, we would like 
to apply the secondary induction hypothesis to all atoms in G, which are all 
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of the form Zi s with zf G Tp'[n. Unfortunately P{n) does not allow us to 
conclude directly that zf s°' G Mp, since Zi is a variable (cf. the remark just 
after Lemma 4). We have zf « zf by assumption. However, in this stage of the 
proof we do not know whether or not s'^ « s'^ holds. There is exactly one way 
out. Note that zf starts with a constant. By the secondary induction hypothesis 
P{n) we get that zf G Mp. From the primary induction hypothesis we get 
that all s are extensional, since the types are smaller than r. Combining those 
two facts with zf « zf yields zf « zf s'^' G Mp. □ 

Corollary 1. Every hoapata program is extensional. 

The above corollary justifies all extensionality claims in Example 1. The non- 
extensional programs there are indeed not hoapata. However, the criterion does 
not (and cannot) capture all extensional programs, as shown by the following 
example. 

Example 2. The following program is obtained from the example program in 
Section 1 by leaving out q(a) . Then there is only one unary predicate and the 
program is extensional from poverty, although the second clause is not hoapata. 

p(a) . y. p: D->A 

p_named(p) . 7« p_nEmied: (D->A)->A 

7 Related and Future Work 

We took over the non-extensional example program in Sec. 1 from Wadge [9], but 
with head p(b) instead of q(b) in the fourth clause p(b) p_named(q). Thus 
we avoid the introduction of a new constant c in the explanation and we get the 
dramatic disagreement of the two minimal models on [p_named] . The result of 
[9] may be rendered as follows: every definitional higher-order logic program has 
a minimal standard model. Here ‘definitional’ is a syntactic criterion which is 
strictly stronger than ‘hoapata’, since it disallows local variables of types other 
than D. Although this excludes, for example, the transitive closure of a binary 
predicate of unary predicates from being definitional, the main difference in 
view between Wadge and us is on the semantical level. In our opinion standard 
models are less suitable as models of extensional higher-order logic programs, 
as standard models are uncountable if the domain of individuals is infinite. For 
example, a slight variation of the program in Example 2, with p(s(0)) instead 
of p(a), is still extensional, but the interpretation of by p_named in the minimal 
standard model is a non-computational object, which must single out {s(0)} 
in an uncountable power set. In our declarative semantics the (collapsed) closed 
term model consists only of p at type D^A and the interpretation of p_named 
is computationally tractable. 

The main technical improvement of this paper over [2] is the argument in 
Section 6 consisting of the double induction proving Theorem 2 and the syn- 
tactical analysis behind Lemma 4. Hoapata programs strictly extend the good 
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programs from [2], since they impose no restrictions on neither local variables, 
nor on the use of the head variable of the head of a clause. 

There seems to be no connection with Miller’s [5] condition for the decidabil- 
ity of higher-order unification. First of all, unification is first-order here, since 
we have no bound variables within terms. Second, the hoapata criterion, unlike 
the condition in [5], does not impose restrictions on the first-order arguments of 
a higher-order object. 

We expect our results to carry over to other symbolic forms of simultaneous 
inductive definitions. Normann proposes to study the relation between hoapata 
programs and PCF [7]. 

For the future we plan to explore the following connection. The rewrite rules 
KrXY — >■ X and StXYZ — >■ XZ{YZ) in typed Combinatory Logic are hoapata. 
The same holds for the rules R^XYO X and RrXY{Z+l) YZ(RrXYZ) 
for the primitive recursor in Gddel’s T. The latter rules are hoapata since the 
patterns 0 and Z+1 are of base type, i.c. the natural numbers. Also the rules 
for some forms of transfinite recursion are hoapata. It is known that the closed 
term models of those calculi can be collapsed extensionally, but the proofs rely 
on confluence and termination and are ad hoc. We expect that, along the lines 
of the hoapata criterion, a general extensionality result in the context of higher- 
order rewriting can be obtained, unifying the results on the calculi above with 
the result of this paper. 

In order to get a clear picture of the notion of extensionality we have kept 
the syntax of the higher-order logic programs as simple as possible. In particular 
we have left out important features such as lambda abstraction, higher-order 
unification, polymorphism, subtyping and so on. For the future we also plan 
to extend the notion of extensionality to a richer language and to develop an 
extensionality criterion for that language. 

Conclusion 

We have developed a notion of extensionality and a decidable extensionality cri- 
terion for simply typed logic programs. Thus we have captured the phenomenon 
of extensionality for a natural class of higher-order logic programs which sup- 
ports predicate abstraction. We have shown that under the criterion the closed 
term model of a simply typed logic program can be collapsed into a computa- 
tionally tractable, extensional set-theoretic model, which is initial in the model 
class. 
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Abstract. We introduce a logic for sequential, non distributed Abstract 
State Machines. Unlike other logics for ASMs which are based on dy- 
namic logic, our logic is based on atomic propositions for the function 
updates of transition rules. We do not assume that the transition rules of 
ASMs are in normal form, for example, that they concern distinct cases. 
Instead we allow structuring concepts of ASM rules including sequen- 
tial composition and possibly recursive submachine calls. We show that 
several axioms that have been proposed for reasoning about ASMs are 
derivable in our system and that the logic is complete for hierarchical 
(non-recursive) ASMs. 

Keywords: Abstract State Machines, dynamic logic, modal logic, logical 
foundations of specification languages. 



1 Introduction 

Gurevich’s Abstract State Machines (ASMs) [5] are widely used for the specifi- 
cation of software, hardware, algorithms, and the semantics of programming lan- 
guages [1]. Most logics that have been proposed for ASMs are based on variants 
of dynamic logic. There are, however, fundamental differences between the im- 
perative programs of dynamic logic and ASMs. In dynamic logic, states are rep- 
resented with variables. In ASMs, states are represented with dynamic functions. 
The fundamental program constructs in dynamic logic are non-deterministic it- 
eration (star operator) and sequential composition. The basic transition rules of 
ASMs consist of parallel function updates. Since parallel function updates may 
conflict, a logic for ASMs must have a clear notion of consistency of transition 
rules. Therefore, rather than to encode ASMs into imperative programs of dy- 
namic logic or to extend the axioms and rules of dynamic logic, we propose new 
axioms and rules which are directly based on an update predicate for transition 
rules. Since ASMs are special instances of transition systems, our logic contains 
a modal operator, too [14]. 

What comes closest to our system is known as dynamic logic with array 
assignments [6,7]. The substitution principle which is used in its axiomatization 
is derivable in our system (Lemma 9). The dynamic logic with array assignments, 
however, is not concerned with parallel execution of assignments and therefore 
does not need a notion of consistency. 

Groenboom and Renardel de Lavalette introduce in [4] the Formal Language 
for Evolving Algebras (FLEA), a system for formal reasoning about abstract 
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state machines. Their system is in the tradition of dynamic logic and contains 
for every rule R a modal operator [R\(p with the intended meaning that (p holds 
always after the execution or R. The logic of their formal language contains 
besides true and false a third truth-value which stands for undefined. Although 
they consider parallel composition of transition rules, they have no formal notion 
of consistency in their system. We adopt their modal operator [R](p such that 
the basic axioms of their system are derivable in our logic (Lemma 5). We use, 
however, the two-valued logic of the classical predicate logic. 

Our system is designed to deal with Borger and Schmid’s named parameter- 
ized ASM rules [2] which include also recursive definitions of transition rules. 
Recursive rule definitions in combination with sequential compositions of tran- 
sition rules are maybe too powerful and not in the spirit of the basic ASM 
concept [5]. Nevertheless we include them in our logic and solve the technical 
problems that arise with an explicit definedness predicate. 

Schonegge extends in [11] the dynamic logic of the KIV system (Karlsruhe 
Interactive Verifier) to turn it into a tool for reasoning about abstract state 
machines. The transition rules of ASMs are considered as imperative programs 
of dynamic logic. While-programs of dynamic logic are used as an interpreter 
for abstract state machines; loop-programs are used to apply an ASM a finite 
number of times. Schonegge’s rules for simultaneous function updates and par- 
allel composition of transition rules are derivable in our system (Lemma 7). His 
sequent calculus is mainly designed as a practical extension of the KIV system 
and not as a foundation for reasoning about transition rules and ASMs. 

Schellhorn and Ahrendt simulate in [10] abstract state machines in the KIV 
system by formalizing dynamic functions as association lists, serializing parallel 
updates and transforming transition rules into flat imperative program of the 
underlying dynamic logic. Schellhorn is able to fully mechanize a correctness 
proof of the Prolog to WAM compilation in his dissertation in [9]. He argues 
that the inconsistency of an ASM (clash in simultaneous updates) can only be 
detected when the ASM is in normal form and that the transformation of the 
ASM into normal form by a pre-processor is more efficient than a formalization 
of consistency in terms of logical axioms as we do it in our system. We do 
think that a suitable theorem prover can automatically process and simplify our 
consistency conditions (Lemma 3 and Table 5) without problems. 

Poetzsch-Heffter introduces in [8] a basic logic for a class of ASMs consisting 
of simultaneous updates of 0-ary functions (dynamic constants) and if-then-else 
rules only. His basic axiom states that the truth of the weakest backwards trans- 
former of a formula implies the truth of the formula in the next state. He then 
derives partial correctness logics for a class of simple imperative programming 
languages by specifying their semantics with ASMs of his restricted class. His 
basic axiom is derivable in our system (Lemma 10). 

Gargantini and Riccobene show in [3] how the PVS theorem prover can 
provide tool support for ASMs. They show how ASMs can be encoded in PVS 
(and hence in the underlying formal system which is Church’s simple theory of 
types). Functions are encoded as PVS functions and an interpreter for ASMs is 
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implemented in PVS. The parallel rule application is serialized. The abstraction 
level of the abstract states is preserved by assuming properties of certain static 
functions rather than by implementing (explicitly defining) them in PVS. They 
do not provide a technique for proving consistency of ASMs as we do in our logic. 
We think that for verification of large ASMs a theorem prover like PVS should 
directly provide support for transition rules such that the overhead introduced 
by the encoding is avoided (cf. [12]). 

The plan of this paper is as follows. In Sect. 2 we give a short overview 
on ASMs with sequential composition and (possibly recursive) rule definitions. 
After some considerations on formalizing the consistency of transition rules in 
Sect. 3, we introduce in Sect. 4 the basic axioms and rules of our logic and show 
that several useful principles are derivable. In Sect. 5 we prove that the logic is 
complete for hierarchical (non-recursive) ASMs. 



2 ASM Rules and Update Sets 

The notion of an abstract state is the classical notion of a mathematical struc- 
ture 21 for a vocabulary E consisting of a a non-empty set |2t| and of functions 
from |2l|” to |2[| for each n-ary function name / of E. The terms s,t and 
the first-order formulas ip,'tp of the vocabulary E are interpreted as usual in 
the structure 21 with respect to a variable assignment C. The value of a term t 
in the structure 21 under C is denoted by |t]^; the truth value of a formula (p 
in 21 under C is denoted by (see Table 1). The variable assignment which is 
obtained from C by assigning the element a to the variable x is denoted by C-. 

Abstract State Machines (ASMs) are systems of finitely many transition rules 
which update some of the functions of the vocabulary V in a given state at some 
arguments. The functions of the vocabulary E are divided into static functions 
which cannot be updated by an ASM and dynamic ones which typically do 
change as a consequence of updates by the ASM. The transition rules R, S of 
an ASM are syntactic expressions generated as follows (the function arguments 
can be read as vectors): 

1. Skip Rule: skip 

Meaning: Do nothing. 

2. Update Rule: f{t) := s 

Syntactic condition: / is a dynamic function name of E 

Meaning: In the next state, the value of / at the argument t is updated to s. 

3. Block Rule: R S 

Meaning: R and S are executed in parallel. 

4. Conditional Rule: if p then R else S 

Meaning: If p is true, then execute R, otherwise execute S. 

5. Let Rule: let x = t in R 

Meaning: Assign the value of t to a; and execute R. 

6. Forall Rule: forall x with do i? 

Meaning: Execute R in parallel for each x satisfying ip. 
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7. Sequence Rule: R ; S 

Meaning: R and S are executed sequentially, first R and then S. 

8. Call Rule: p(t) 

Meaning: Call p with parameter t. 

A rule definition for a rule name p is an expression p{x) = R, where i? is a 
transition rule in which there are no free occurrences of variables except of x. 
The calling convention is lazy. This means that in a call p{t) the variable x is 
replaced in the body R of the rule by the parameter t. The parameter t is not 
evaluated in the state where the rule is called but only later when it is used in the 
body (maybe in different states due to sequential compositions). Call-by- value 
evaluation of rule calls can be simulated as follows: 

p{y) = let X = y in i? 

Then upon calling p(t) the parameter t is evaluated in the same state. 

Definition 1 (ASM). An abstract state machine M consists of a vocabulary S, 
an initial state 2t for S, a rule definition for each rule name, and a distinguished 
rule name of arity zero called the main rule name of the machine. 

The semantics of transition rules is given by sets of updates. Since due to the 
parallelism (in the Block and the Forall rules), a transition rule may prescribe to 
update the same function at the same arguments several times, such updates are 
required to be consistent. The concept of consistent update sets is made more 
precise by the following definitions. 

Definition 2 (Update). An update for 2t is a triple (f,a,b), where / is a 
dynamic function name, and a and b are elements of |2t|. 

The meaning of the update is that the interpretation of the function / in 2t has to 
be changed at the argument a to the value b. The pair of the first two components 
of an update is called a location. An update specifies how the function table of 
a dynamic function has to be updated at the corresponding location. An update 
set is a set of updates. 

Definition 3 (Consistent update set). An update set U is called consistent, 
if it satisfies the following property: If (/, a,b) £ U and (/, a, c) G U, then b = c. 

This means that a consistent update set contains for each function and each 
argument at most one value. If an update set U is consistent, it can be fired in 
a given state. The result is a new state in which the interpretations of dynamic 
function names are changed according to U. The interpretations of static function 
names are the same as in the old state. 

Definition 4 (Firing of updates). The result of firing a consistent update 
set [/ in a state 2t is a new state U (2t) with the same universe as 21 satisfying 
the following two conditions for the interpretations of function names f of S: 
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Table 1. The semantics of formulas. 





f true, 
[false, 


if W? = Wo 

otherwise. 


jl 


( true, 
[false, 


if Mf = 

otherwise. 




( true, 
[false, 


if Wl* ~ = true; 

otherwise. 




f true, 
[false, 


if Wl? ~ or Wlf = true; 

otherwise. 




f true, 
[false, 


if IWf = or mf = true; 

otherwise. 


IVa;(p]f <j 


( true, 
[false, 


if Wlo = frne for all a G |21|; 
otherwise. 


:=] 


( true, 
[false, 


if there exists an a G |21| with = true; 

otherwise. 



1. If {f,a,b) G U, then = b. 

2. If there is no b with (/, a,b) G U or if / is static, then = /®(a). 

Since U is consistent, the state U (21) is determined in a unique way. Notice that 
only those locations can have a new value in state C/(2t) with respect to state 21 
for which there is an update in U. 

The composition ‘{7 ; 1^’ of two update sets U and V is defined such that the 
following equation is true for any state 21: 

{U;vm = v{um 

The equation says that applying the update set ‘U ; V' to state 21 should be 
the same as first applying U and then V. Hence, ; V’ is the set of updates 
obtained from U by adding the updates of V and overwriting updates in U which 
are redefined in y. If 17 and V are consistent, then U ;V is consistent, too. 

Definition 5 (Composition of update sets). The composition of two update 
sets U and V is defined hyU;V:= {(/, a, 6) G U \ ~<3c{f,a,c) GV}UV. 

In a given state, a transition rule of an ASM produces for each variable as- 
signment an update set. Since the rule can contain recursive calls to other rules, 
it is also possible that the rule does not terminate and has no semantics at all. 
Therefore, the semantics of ASM rules is given by an inductive definition of a 
predicate S{R, 21, U) with the meaning ‘rule R yields in state 21 under the vari- 
able assignment ( the update set U.’ Instead ofS{R, 21, U) we write |i?]® > U 
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Table 2. Inductive definition of the semantics of ASM rules. 



(skip) 



[skipjf 


> 0 




im ■■= 


: > 






u 


[SIf > L 


IR S]f 


D 

A 


V 


mf > 


U 




|if ip then R else > [/ 


ISjf > 


u 





|if Lp then R else S"]]^ > 1/ 

[R]f| > U 



|let a: = t in 7?]^ > JJ 

> \Ja for each a G I 

|forall X with tp do > IJier 

mf > u > R 

[R -,Sjf >U-,V 

imf > u 

IR ; Sjf > U 

IRUf > u 
> u 



if a = |s]^ and b = [t]* 


(upd) 




(par) 


if [vj]* = true 


(ifi) 


0) 

II 


(if2) 


if a = [t]f 


(let) 


if 7 = {a G |2t| : {ipjf^ = 


true} (forall) 


if U is consistent 


(sepi) 


if U is inconsistent 


(seqj) 


if p{x) = 77 is a rule definition (def) 



and present the inductive definition as a (possibly infinitary) calculus in Table 2. 
We say that a rule R is defined in state 21 under the variable assignment C, if 
there exists an update set U such that |i?|® > U is derivable in the calculus 
in Table 2. Note that for each state 2t and variable assignment C there exists at 
most one update set U such hat |i?]® t> U is derivable in the calculus. Hence 
transition rules are deterministic. 

The notion of ASM run is the classical notion of computation of transition 
systems. A computation step in a given state consists in executing simultaneously 
all updates of the main transition rule of the ASM, if these updates are consistent. 
The run stops if the main transition rule is not defined or yields an inconsistent 
update set. If the update set is empty, then the ASM produces an infinite run 
(stuttering, never changing anymore the state). We do not allow that so-called 
monitored functions change during a computation. 

Definition 6. (Run of an ASM) Let M be an ASM with vocabulary 27, initial 
state 2t and main rule name p. Let C be a variable assignment. A run of M is 
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a finite or infinite sequence $ 0 , $ 1 , . . . of states for S such that the following 
conditions are satisfied: 

1 . *80 = 21. 

2. If Ip]®” is not defined or inconsistent, then *8„ is the last state. 

3. Otherwise, 18„+i = C/(Q3„), where |p|®” > U. 

Runs are deterministic and independent of the variable assignment since we 
forbid global variables in rule definitions. 

Remark 1. In the presence of sequential composition the following two rules are 
not equivalent: 

let X = t in i? ^ i?|. 

For a counter example, consider the following transition rule: 
let X = /(O) in (/(O) := 1 ; /(I) := x) 

If we substitute the term /(O) for x, then we obtain: 

/(O) :=I;/(I):=/(0) 

In general, the two rules are not the same, because /(O) is evaluated in different 
states. The following substitution property, however, is true for static terms t: 
If t is static and |t]® = a, then 

> U ^ iR^jf > u. 

If the term t contains dynamic functions, then the equivalence is not necessarily 
true, because t could be evaluated in different states on the right-hand side (due 
to sequential compositions). 



3 Formalizing the Consistency of ASMs 

Following Groenboom and Renardel de Lavalette [4] we extend the language of 
first-order predicate logic by a modal operator [i?] for each rule R. The intended 
meaning of a formula [R]<f is that the formula tp is true after firing R. More 
precisely, the formula [R](p is true iff one of the following conditions is satisfied: 

1. i? is not defined or the update set of R is inconsistent, or 

2. R is defined, the update set of R is consistent and ip is true in the next state 
after firing the update set of R. 

Equivalently we can say that the formula [i?]p is true in state 21 under the 
variable assignment C iff for each set U such that |i?|® > U is derivable and U 
is consistent, the formula (p is true in the state G(2l) under ( (see Table 3). 

In order to express the definedness and the consistency of transition rules we 
extend the set of formulas by atomic formulas def(i?) and upd(i?, /, x, y). The 
semantics of these formulas is defined in Table 3 and the basic properties are 
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Table 3. The semantics of modal formulas and basic predicates. 




if = true for each consistent U with > f/; 

otherwise. 

if there exists an update set U with > C/; 

otherwise. 



|[upd(R, f,s,t)jf 



true, if ex. U with |R]^ > U and (/, [s]^, [t]®) G t/; 
false, otherwise. 



Table 4. Axioms for definedness. 



Dl. def(skip) 

D2. def(/(s) := t) 

D3. def(R S) ^ def(R) A def(S') 

D4. def(if ip then R else S) -O- (ip A def(i?)) V {-ip A def(S)) 

D5. def(let x = t in R) 3x {x = t /\ def(R)) if a: ^ FV(t) 

D6. def(forall x with p do R) -o- Va; (</9 ^ def(7?)) 

D7. def(R ; S) aa def(R) A [R]def(5') 

D8. def(p(t)) AA def(R|) if p{x) = i? is a rule definitiou of M 



Table 5. Axioms for updates. 



Ul. -.upd(skip, /, a;, y) 

U2. upd(/(s) ■,= t,f,x,y)<^s = xM = y, -.upd(/(s) ;= t, g, x,y) H f g 
U3. upd(R S, f, X, y) aa def(i? S) A (upd(R, f, x, y) V upd(S, /, x, y)) 

U4. upd(if p then R else S, f, x, p) -O- (<p A upd(R, f, x,y))y {->p A upd(S, /, x, y)) 
U5. upd(let z = t in R, f,x,y) -n- 3z {z = t A upd(R, f,x,y)) li z ^ FV it) 

U6. upd(forall 2 ; with p do R, f, x, y) -O- 

def(forall 2 with <p do R) A 32 {p A upd(R, /, x, y)) 

U7. upd(R; S,f,x,y) aa 

(upd(R, f, X, y) A [i?](def(5') A inv(S', /, a;))) V 
(Con(i?) A [R]upd(S, f, X, y)) 

U8. upd{p{t), f,x,y) AA upd{R^ , f , X , y) if p{z) = R is a rule definitiou of M 



listed in Tables 4 and 5. The formula def(i?) expresses that the rule R is defined. 
The formula upd(i?, /, x, y) expresses that rule R is defined and yields an update 
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set which contains an update for / at x to y. The formula Con(i?) used in U7 
to characterize an update of a sequential composition is defined as follows: 

Con(i?) := def(i?) A Vx, y, z (upd(i?, /, x, y) A upd(i?, f,x,z) ^y = z) 

f dyn. 

It is true in a state iff the rule R is defined and yields a consistent update set: 

|Con(i?)]® = true there exists a consistent U with |i?]® > U. 

The formula mv{R, f, x) in U7 expresses that the rule R does not update the 
function / at the argument x. It is a simple abbreviation defined as follows: 

inv(i?, /, x) := Vy -■upd(i?, /, x, y) 

Note, that it would be wrong to define the predicate upd(i?, /, x, y) by saying 
that /(x) is different from y in the present state but equal to y in the next state 
after firing rule R: 

upd(i?, /, X, y) := /(x) yf y A [i?]/(x) = y (wrong definition) 

Using this definition, the predicate upd(/(0) := 1,/, 0,1) would be false in a 
state where /(O) is equal to 1, although the rule /(O) := 1 does update the 
function / at the argument 0 to 1. 

4 Basic Axioms and Rules of the Logic 

The formulas of the logic for abstract state machines are generated by the fol- 
lowing grammar: 

ip, ::= s = t I -'p \ p A 'ip \ p V Ip \ p ^ Ip \\/x p \ 3x p \ 
def(i?) I \ipd{R,f,s,t) I [R]p 

A formula is called pure (or first-order), if it contains neither the predicate ‘def 
nor ‘upd’ nor the modal operator [i?]. A formula is called static, if it does not 
contain dynamic function names. The formulas used in If-Then-Else and Forall 
rules must be pure formulas. 

The semantics of formulas is given by the definitions in Table 1 and Table 3. 
The equivalence p tp is defined by (p ^ ^p) A (pp ^ p). A formula p is 
called valid, if = true for all states 2t and variable assignments (. The 
substitution of a term t for a variable x in a formula p is denoted by i^- and is 
defined as usual. Variables bound by a quantifier, a let or a forall have to be 
renamed when necessary. The substitution is also performed inside of transition 
rules that occur in formulas. The following substitution property holds. 

Lemma 1 (Substitution). Ift is static and a = |t]®, then = [7’yl^- 

We define two transition rules R and S to be equivalent, if they are equiconsistent 
and produce the same next state when they are fired. 
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Definition 7 (Equivalence). The formula i? ~ S' is defined as follows: 

i? ~ S (Con(S) V Con(S)) ^ Con(i?) A Con(S) A 

Vx, y (upd(S, /, X, y) upd(S, /, x, y) V f{x) = y) ^ 

f dyn. 

A Vx, y (upd(S, /, X, y) -)> upd(S, /, x, y) V f{x) = y) 

/dyn. 

The formula R ~ S has the intended meaning: 

Lemma 2. The formula R S is true in 21 under f iff the following two con- 
ditions are true: 

1. |Con(i?)]® = true iff |Con(S)]® = true. 

2. // |i?]® > U, |S]® > V and U and V are consistent, then 17(21) = E(2l). 

We already know that the axioms D1-D8 and U1-U8 are valid for a given ab- 
stract state machine M. Together with the following principles they will be the 
basic axioms and rules of our logic C{M). 

I. Classical logic with equality: We use the axioms and rules of the classical 
predicate calculus with equality. The quantifier axioms, however, are restricted. 

II. Restricted quantifier axioms: 

1. \/x(fi ^ if t is static or ip is pure 

2. ip^ 3xp if t is static or p is pure 

III. Modal axioms and rules: 

3. [i?](:/3 Ip) A [R]p -A [RlpJ 

4 ^ 

[R]p 

5. -'Con(i?) — >• [R]p 

6. -'[R]p -A [R]~'P 

IV. The Barcan axiom: 

7. yx[R]p -A [Rfixp, if a; ^ FY{R). 

V. Axioms for pure static formulas: 

S. p ^ [R\p if is pure and static 

9. Con(i?) A [R]p -A p if is pure and static 

VI. Axioms for def and upd: 

10. D1-D8 in Table 4 

11. U1-U8 in Table 5 

VII. Update axioms for transition rules: 

12. upd(i?, /, X, y) — >■ def(i?) 

13. upd(i?, /, X, y) -A [R] f{x) = y 

14. inv(i?, /, x) A /(x) = y -)> [R]f{x) = y 
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VIII. Extensionality axiom for transition rules: 

15. 

IX. Axioms from dynamic logic: 

16. [skip]i^ ip 

17. [i?; S']v3 o 

The principles I~IX are valid, therefore the logic is sound. 

Theorem 1 (Soundness). If a formula is derivable with the axioms and rules 
I-IX, then it is valid. 

The formula \fx ip ^ (ph is not valid for non-static terms t. Consider the following 
tautology: 

Vx (cc = 0 — >■ [/(O) := l]a; = 0). 

If we substitute the term /(O) for x, then we obtain the formula 
/(O) = 0 ^ [/(O) := l]/(0) = 0. 

This formula is not valid. Hence, the quantifier axioms must be restricted. 

Lemma 3. The following consistency properties are derivable: 

18. Con(skip) 

19. Con(/(s) := f) 

20. Con(i? S) o Con(i?) A Con(S') A joinable(i?, S) 

21. Con(if if then R else S') o (v? A Con(i?)) V A Con(S)) 

22. Con(let x = t \n K) ^ 3x {x = t /\ Con(i?)) if x ^ FV(t) 

23. Con(forall x with ipdoR) o Mx {p — >■ Con(i?) — >• joinable(i?, f?|)) 

24. Con(i? ; S) O Con(i?) A [i?]Con(S) 

25. Con(p(t)) eA Con(i?|;) if p{x) = R is a rule definition of M 

The predicate joinable(i?, S) which is used in 20 to reduce the consistency of a 
parallel composition R S into consistency properties of R and S is defined as 
follows (where x,y,z are not free in R)\ 

joinable(i?, S) := Vx, y, z (upd(i?, /, x, y) A upd(S, f,x,z) ^ y = z), 

/dyn. 

It expresses that the update sets of R and S do not conflict. This means, when- 
ever R and S both update a function / at the same argument x, then the new 
values of / at cc are the same. 

Lemma 4. The following principles are derivable: 

26. Con(i?) A [R]f{x) = y ^ upd(i?, /, x, y) V (inv(i?, /, x) A f{x) = y) 

27. Con{R) A [R]p ~-[Rhp 

28. [R]3x p ^ 3x [R]p , ifx^FY(R). 
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Groenboom and Renardel de Lavalette introduce in [4] different axioms for tran- 
sition rules. Their axioms FMl, FM2, AXl, AX2 are derivable in our system 
using the update axioms 13 and 14. 

Lemma 5. The following principles of [4J are derivable: 

29. s = x^{y = t^ [f{s) := t]f{x) = y) 

30. s^x^ {y = f{x) O [/(s) := t]f{x) = y) 

31. [R]f{x) = y A [S]f{x) = y ^ [R S]f{x) = y 

32. fix) ^yA i[R]fix) = j/ V [S]fix) = y) ^ [R S]fix) = y. 

The following inverse implication of 31 and 32 is not mentioned in [4] (maybe 
because of the lack of a consistency notion), but is derivable in our system: 

Con(i? S) A [R S]f{x) = y^ 

i[R]f{x) = yA [S]fix) =y)V if{x) ^yA {[R]fix) =yV [S]f{x) = y)) 

Several principles known from dynamic logic are derivable using the extension- 
ality axiom 15. 

Lemma 6. The following principles are derivable: 

33. [if ip then R else 5']^’ O ((/? A [R]tp) V (-up A [S'Jt/’) 

34. [let a; = tin i?](p o (a; = t A [i?](^), z/a; ^ FV(t) U FV(v3). 

35. [pif)]p O \R^]p, if p{x) = R is a rule definition of M. 

Schdnegge uses in his sequent calculus for the extended dynamic logic in [1 1] new 
rules that express the commutativity, the associativity and similar properties of 
the parallel combination of transition rules. In our system, these properties are 
derivable. 

Lemma 7. The following principles of [11] are derivable: 

36. {R skip) ~ R 
31. (R S) ~ (S R) 

38. HRS) T) ~ (R (ST)) 

39. {RR)~R 

40. (if p then R else S') T ~ if (p then [R T) else (S T) 

41. T (if p then R else S) ~ if (p then (T R) else (T S) 

If we can derive R cs: S, then we immediately obtain the principle [R]p [5']v5 
using the extensionality axiom 15. It is not clear to us, whether for example the 
commutativity of the parallel composition, [i? S](p O [S R\Pi could be derived 
in the formal system of [4]. 

Lemma 8. The following properties of the sequential composition are derivable: 

42. {R ; skip) ~ R 

43. (skip ; i?) ~ i? 

44 - ((i?;S);T)cs(S;(S;T)) 

45. (if p then R else S) ; T ~ if then (R ; T) else (S ; T) 
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The dynamic logic with array assignments (see [6]) uses a substitution principle 
which is derivable in our system. Let be a pure (first-order) formula. Then by 
denote the formula which is obtained in the following way. First, ip is 
transformed into an equivalent formula 

n 

p^3x3y f{xi) = y, A V') , 

i=l 

where x = xi, . . . , 2/ = yi, ■ • ■ , Z/n does not contain /. Then we define: 

n 

:=3x 3y (^((a;* = s A j/i = t) V (x* yf s A f{xi) = y*)) A ij?j 

i=l 

Lemma 9. For any first-order formula p, the following substitution principle is 
derivable: [/(s) •= Af- 

The If-Then rule can be defined in terms of If-Then-Else in the standard way: 
if p then R:=\ip then R else skip 

An ASM is called simple, if it is defined by a single rule R, which has the following 
form: 

if Pi then /(si) := ti 
if p 2 then /(S 2 ) := ^2 



if pn then /(s„) := 

Simple ASMs have the obvious properties formulated in the following lemma. 
Property 49 is a variant of the basic axiom of Poetzsch-Heffter [8] . It can easily 
be extended to disjoint If-Then rules with simultaneous function updates. 

Lemma 10. Let R be the rule of a simple AMS. Then, 

4-6. Con(i?) ey [fi^{pi f\ Pj /\ Si = sj ti = tfi 

i<j 

n 

47 . upd(i?, f,x,y) ^ \U {pi ^x = Si Ay = U) 

n 

48. inv(i?, f,x) ^ /f^{pi^ xfi^ Si) 

2 = 1 

n n 

49 . \l(/ Pi /\ -^{pi A Pj) /\ ff^iPi ^ fi'^si-order. 

i—1 i<j i—1 

Iteration can be reduced to recursion. We can define the While rule recursively, 
as follows: 

while p do R = ii p then (i? ; while p do R) 

The expression while p do R has to be read as a rule call p{x), where x are the 
free variables of p and R. So the above equation stands for the following rule 
definition: 



p{x) = if then (R ; p{x)) 




230 



Robert F. Stark and Stanislas Nanchen 



Lemma 11. The following properties of the While rule are derivable: 

50. Con(while ip do i?) o ((p — >■ Con(i?) A [i?]Con(while ip do R)) 

51. [while 1 ^ do o ((^ A [i?] [while p do -Rjf/') V (-u/? A V') 

Several properties of ASMs can be expressed using the basic logic (where M is 
the distinguished rule name of the ASM and i^init is a formula characterizing 
initial states): 

— The formula ip ensures consistency: (tpinit ip) A {ip ^ Con(M) A [M]ip). 

— The formula ip is an invariant: (v^mit -A ip) A {ip ^ \M\ip). 

The statement in [13] for the correctness of the compiler from Java to the JVM 
can be formulated as follows: 

{Pinit -A Peoy) A (V^eqv [>/](<Peqv V [VjvSeqv V [V][V]peqv V [V^j [V] [V](/?eqv)) 

Here, J is an ASM that specifies the semantics of a Java source level program 
according to the Java Language Specification; V is an ASM that specifies the 
Java Virtual Machine. The two ASMs have disjoint dynamic function names 
and use the same static functions. The formula :^Jeqv expresses that two dynamic 
states of the two ASMs are equivalent for a given Java program and its compiled 
bytecode program. The above formula says, that if two states are equivalent, 
then for each step of J the ASM V has to make zero, one, two, or three steps 
to reach an equivalent state again. The proof in [13] which comprises 83 cases 
could be carried out in the basic system with appropriate structural induction 
principles for lists and abstract syntax trees (which are encoded using static 
functions) . 



5 Completeness for Hierarchical ASMs 

An ASM is called hierarchical, if the call graph of the rule definitions does 
not contain cycles, in other words, if the ASM does not contain recursive rule 
definitions. An ASM is hierarchical iff it is possible to assign levels to the rule 
names such that in a rule definition p{x) = R the levels of rule names in R are 
less than the level of p. Transition rules of hierarchical ASMs are always defined. 
If i? is a transition rule which uses rules from a hierarchical machine M, then 
def(i?) is derivable in C{M). 

Theorem 2 (Completeness). If M is a hierarchical ASM and p is valid, then 
p is derivable in L{M). 

The proof of the completeness theorem follows the traditional Henkin-style 
completeness proof and uses the fact that for a maximal consistent set of 
formulas, if Con(i?) G <1, then the set {ip \ [R]ip G <P} is also maximal consistent. 
The extensionality axiom 15, Axiom 16 for skip and Axiom 17 for the sequential 
compositions are not used in the completeness proof. Since the axioms are valid, 
by the completeness theorem they must be derivable for hierarchical ASMs. 
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Abstract. Hyper tableau reasoning is a version of clausal form tableau 
reasoning where all negative literals in a clause are resolved away in a 
single inference step. Constrained hyper tableaux are a generalization 
of hyper tableaux, where branch closing substitutions, from the point 
of view of model generation, give rise to constraints on satisfying as- 
signments for the branch. These variable constraints eliminate the need 
for the awkward ‘purifying substitutions’ of hyper tableaux. The paper 
presents a non-destructive and proof confluent calculus for constrained 
hyper tableaux, together with a soundness and completeness proof, with 
completeness based on a new way to generate models from open tableaux. 
It is pointed out that the variable constraint approach applies to free 
variable tableau reasoning in general. 



1 Introduction 

Hyper tableau reasoning was introduced in [2]; like (positive) hyper resolution 
[9] it resolves away all negative literals of a clause in a single inference step, but 
it combines this with the notion of a tableau style search for counterexamples. 
Hyper tableau reasoning, in the improved version proposed in [1], allows local 
universally quantified variables. The key element in hyper tableau reasoning, 
the use of purifying substitutions to get rid of variable distribution over differ- 
ent head literals (or, in the improved version, the generation of proper clause 
instantiations by means of a Link rule) is replaced in constrained hyper tableau 
reasoning by the generation of constraints on the interpretation of the variables 
that get distributed. Constrained hyper tableaux solve the problem of model 
generation from open tableaux with free variables in a general way. 



2 Basic Definitions 

Language. Let If be a first order signature. A. Ls literal is an Ls atom or its 
negation, and an Ce clause is a multiset of Cs literals, written as -'Ai V • • • V 
-•Ajn V i?i V • • • V (m, n > 0). If m, n > 0 the clause is mixed] if m = 0, n > 0 
the clause is positive; if m > 0, n = 0 the clause is negative, and if m = n = 0 the 
clause is empty. A mixed clause ->Ai V • • • V -•Am \/ BiV ■ ■ - \/ Bn may be written 
as Ai A • • • A Am =k Hi V • • • V B„, and a negative clause as ~^{Ai A • • • A Am). The 
empty clause is written as T. We write T for the formula that is always true. 



L. Fribourg (Ed.): CSL 2001, LNCS 2142, pp. 232-246, 2001. 
© Springer- Verlag Berlin Heidelberg 2001 




Constrained Hyper Tableaux 233 



Substitutions. A substitution cr is a function V ^ that makes only a finite 
number of changes, i.e., <j has the property that dom (cr) = {v & V \ cr(v) yf u} is 
finite. We use e for the substitution with domain 0 (the identity substitution). We 
represent a substitution cr in the standard way, as a list {ui e- >• a(vi ), ... , e- >• 

a(vn)}, where {vi , . . . , v„} is dom (a). Write substitution application in post-fix 
notation, and write a0 for ‘0 after a’. 

If a, 9 are substitutions, then cr ^ 6* if ct is less general than 9, i.e., if there 
is a p with a = 9p. The relation ^ is a pre-order (transitive and reflexive), and 
its poset refiection is a partial order. For this, put a ^ 9 ii a < 9 and 9 < a, 
and consider substitutions modulo renaming, i.e., put |cr| = {6* | ct ~ 9}, and put 
|cr| C |0| if cr ^ 0. A renaming is a substitution that is a bijection on the set of 
variables. For convenience we continue to write a for |cr|. 

Extend the set of substitutions (modulo renaming) with the improper substi- 
tution X, the substitution with the property that X C ct for every substitution 
cr. Now for every pair of substitutions cr and 9, a r\ 9, the greatest common in- 
stance of cr and 9, and cr U 0, the least common generalization of a and 9, exist. 
If cr n 6* = X we say that a and 9 do not unify. We get that e, the substitution 
that is more general than any, is the top of the lattice given by C, and X its 
bottom. The grounding substitutions are the least general proper substitutions; 
In the lattice of substitutions, they are just above X. Note that this hinges on 
the fact that substitutions have finite domains. If cr C p, and cr yf X, we call 
cr an instance of p. A clause </> is a proper instance of a clause ip if for some 
substitution cr that is not a renaming it is the case that (p = tpa. 

A variable map is a function in E — >■ Ty; (i.e., we drop the finite domain 
restriction of substitutions). Variable maps modulo renaming form a complete 
lattice under the ‘less general than’ ordering. A grounding is a variable map that 
maps every variable to a closed term. 

Substitutions as Formulas; Variable Constraints. Associate with a substitution 
CT = {ui cr(ui), ... , cr(u„)} 

the formula vi « a{v\) A • • • A « cr(vn). We can then say what it means that 
assignment a satisfies substitution cr in model A4 in the usual way. Notation 
JH \=^ a. A variable constraint is the negation of a substitution as formula, i.e., 
a variable constraint is a multiset of inequalities v ^ t, with t G Ts, written as 
vi ^ ti \/ ■ ■ ■ \/ Vn ^ t„. From a substitution cr we derive a variable constraint a 
by complementation, as follows: 

a = V{ V 9^ a(v) I V e dom (cr)}. 

E.g., the complement a of a = {x a, y b} is x ^ aV y ^ b. Note that e = T. 

Tableaux, Branches. A hyper tableau over X is a finitely branching tree with 
nodes labeled by positive Cs literals, or by variable constraints. A branch in a 
tableau T is a maximal path in T. We occasionally identify a branch B with 
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the set of its atomic facts and constraints. The variables of a tableau branch are 
the variables that occur in a literal or a constraint along the branch. A variable 
V distributes over branches B, B' if u occurs in constraints or literals on both 
sides of a split point, as follows: 




The rigid variables of a branch B are the variables of B that are distributed 
over B and some other branch. The tableau construction rules will ensure that 
every rigid variable in a tableau has a unique split point (highest point where it 
gets distributed). 

A hyper tableau for a set of Cs formulas in clause form is a finite or infinite 
tree grown according to the following instructions. 



Initialize. Put T at the root node of the tableau. 



Expand. Branches of a hyper tableau for clause set <1> are expanded by the only 
inference rule of Constrained Hyper Tableau (CHT) reasoning, the rule Expand, 
in the following manner. 

Cl, . . . , Cm, “'Ai V • • • V -•Am V i?i V • • • V 

Bia I • • • I Bncr \ 9 



where 



— -lAi V • • • V -•Am V Hi V • • • V Bn is fresh copy of a clause in <P (fresh with 
respect to the tableau), 

— the Ci are positive literals from the current branch, 

— cr is a most general substitution such that Aicr = CiO (l<t< m), and, 
moreover, a does not rename any rigid branch variables, 

— 9 is the restriction of a to the rigid variables of the branch. 

An application of Expand to a branch expands the branch with an instance of a 
literal from the list B\, . . . , Bn, or with a variable constraint. 

Remark. It is convenient to use mgu’s a in Expand that do not rename any rigid 
branch variables. Suppose Px is a positive literal on a branch, with x rigid. Then 
a match with the rule Py ^ Qy can rename either x or y. If x is renamed, the 
application of Expand branches, and two leafs are created, one with constraint 
X ^ y, the other with literal Qy. If x is not renamed, only a single leaf Qx is 
created, for in this case the constraint leaf extension carries constraint e, and 
can be suppressed. 
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Here is an example application of Expand. Here and below, uppercase char- 
acters are used for predicates, x, y,z,u, . . . for variables, a,b,c, . . . for individual 
constants (skolem constants), for skolem functions. In the example, it is 

assumed that x is rigid and y is not: 

Pxy, Qb, -'Paz V -'Qz V Raz 
Rab I X ^ a 

Note that in the case of a positive clause, no branch literals are involved, and 
the substitution that is produced is e, with corresponding constraint e, i.e., _L. 
In this case the rule boils down to: 

gj V ■ ■ ■ V 

Bi\ ■■■ I ■ 

If there are no positive clauses Hi V • • • V H„ in the clause set the set <P cannot 
be refuted since in this case we can always build a model for (p from just negative 
facts. 

In case Expand is applied with a negative clause, the rule boils down to the 
following: 



Cij • • • ) C'm) “'(^1 A • • • A 



where the Ct are as before, there is a most general a such that Aia = Cia (1 < 
i < m) and no rigid variables get renamed, and 9 is the restriction of cr to the 
rigid variables of the branch. 

History Conditions on Expand. To avoid superfluous applications of Expand, a 
history list is kept of all clause instances that were applied to a branch. For this 
we need a preliminary definition. We say that a literal B reaches a fc-fold in 
clause set <P if either there is a clause in <P in which the predicate of B has at 
least k negative occurrences, or there is a clause . . . H . . . . . . C . . . in and 

C reaches a fc-fold in <P. E.g., if Qa Pa, PxAPy Rxy in <P, then Qx reaches 
a 2-fold in ‘P. If Qx is also in (p, we should generate two copies Qx' , Qx" , which 
in turn will yield two copies of Pa, so that Raa can be derived. 

If a clause is applied with substitution cr, the conditions on the application, 
in a tableau for clause set <P, are: 

1. -'Aicr V • • • V -'AmO' V Hicr V • • • V H„cr is not a proper instance of any of the 
instances of ->Ai V • • • V -'Am V Hi V • • • V H„ that were applied to the branch 
before; 

2. if -iHicr V • • • V -'Amcr V Hicr V • • • V H„cr is the fc-th variant of any of the 
instances of -■Hi V • • • V -'Am V Hi V • • • V H„ that were applied to the branch 
before, then at least one of the H^ must reach a fc-fold in 

If these two conditions are fulfilled, we say that the instance of the clause is fresh 
to the branch. All clause instances used on a branch are kept in a branch history 
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list. The history conditions on Expand are fair, for application of proper instances 
of previously applied clause instances to a branch is spurious, and generation of 
alphabetic variants only makes sense if they (eventually) lead to the generation 
of alphabetic variants that can be matched simultaneously against a single clause 
in <P. 



Constraint Merge for Closure. To check a tableau consisting of n branches for 
closure, apply the following constraint merge for closure. It is assumed that the 
Oi are constraints on the different branches. 



closure by: 



5 

CTi n • • • n cr„ 



(Ti n • • • n cr„ yf X . 



The idea of the constraint merge for closure is that if cr, 0 each close a branch 
and can be unified, then a\l9 closes both branches, and so on, until the whole 
tableau is closed. 



Open and Closed Tableaux. A hyper tableau is open if one of the following two 
conditions holds, otherwise it is closed: 

— some branch in the tableau carries no constraint, 

— all branches in the tableau carry constraints, but there is no way to pick 
constraints from individual branches and merge their corresponding substi- 
tutions into a single substitution (in the sense of: pick a finite initial stage 
T, and pick al on each Bi of T such that cti □ • • • □ cr„ yf X). 

Fair Tableaux. A hyper tableau T for clause set <P is fair if on every open branch 
B of T, Expand is applied to each clause in (p as many times as is compatible 
with the history conditions on the branch. 

Tableau Bundles; Herbrand Universes for Open Tableaux. A pair of different 
branches in a tableau is connected if some variable distributes over the two 
branches. Since connectedness is symmetric, the reflexive transitive closure of 
this relation (connected*) is an equivalence. A tableau bundle is an equivalence 
class of connected* branches. 

We will consider term models built from Herbrand universes of ground terms. 
The Herbrand universe of a bundle B in a, tableau is the set of terms built from 
the skolem constants and functions that occur in B, or, if no skolem constants 
are present, the set of terms built from the constant c and the skolem functions 
that occur in B. If B contains no skolem functions and B is finite, the Herbrand 
universe of B is finite; if B contains skolem functions it is infinite. The models 
over such a Herbrand universe are completely specified by a set of ground positive 
literals. We use for the Herbrand universe of B, and we call a variable map 
a with dom (u) = vars(,B) and rng (cr) C Hj^ a grounding for B in H^, and a 
ground instance of a clause under a grounding for B in an instance. Note 
that a grounding need not be a substitution, as the set vars(,B) may be infinite. 
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3 Refutation Proof Examples 

Let us agree on some conventions for tableau representation. To represent an 
application of extension in the tableau, we just have to write the rule instance 
Bia A • • • A Bna Aicr V • • • V AmCr, and the branch extensions with the list of 
daughters Aicr, AmCr, 9, as follows: 




In case the constraint 9 that is generated is _L, we suppress that leaf, unless it 
is the single leaf that closes the branch. If a constraint gives rise to a substitution 
that closes the whole tableau, then the substitution will be put in a box, like 
this (note that should be read as 9) : 

a • • • a B„a) 



Reasoning about Relations. To prove that every transitive and irreflexive relation 
is asymmetric, we refute the clause form of its negation: 

{Rxy A Ryz Rxz, -'Run, Rab, Rba}, 

where the Rab, Rba provide the witnesses of non- asymmetry. 




Rab A Rba => Raa 




0 



To apply the negative clause ->Ruu, we use the substitution {w i— >■ a}. The 
restriction of that substitution to the rigid tableau variables is e, so e is the 
closing substitution of the tableau. 

Closure by Renaming. To refute the clause set {Rxy, -<Rab\/-<Rba}, two applica- 
tions of Expand to the clause Rxy are needed. The second application uses fresh 
variables. Since none of the variables is distributed in the tableau, the closing 
substitution is e. 
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^{Rab A Rba) 
0 



Generation of Multiple Closing Substitutions. If we try to refute the clause set 
{Oxy, -<Oab, -'Obc}, we can close the tableau in two ways, but since no variable 
is distributed, the closing substitution is e in both cases. If the clauses are used 
to expand a tableau branch in which x and y are distributed, the following two 
constraints are generated on the branch. 




The order in which the constraints are generated does not matter. Both 
substitutions {x i— a, y i— >■ 6}, {x i— >■ 6, j/ 1 — c} are candidates for use in the merge 
check for closure of the whole tree. If the branch is part of an open tableau, then 
both constraints act as constraints on branch satisfaction. 

Closure by Merge. A hyper tableau for the clause set {Sxy V Syx, ~<Sab, ~<Sba} 
has x,y rigid, so these variables occur in the constraints that are generated. 




{x a,y b} {y b,x a} 

The substitutions unify (are, in fact, identical), so the tableau closes. 

An AI Puzzle. If a is green, a is on top of 6, b is on top of c, and c is not 
green, then there is a green object on top of an object that is not green. For a 
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Fig. 1. Tableau for AI Puzzle 



hyper tableau refutation proof, refute the clause form of the negation of this: 
{Ga, -'Gc, Oah, Obc, Gx A Oxy Gy}. To make for a more interesting example, 
we swap positive and negative literals, as follows. 



{“■Ga, Gc, -•Oab, -'Obc, Gx Gy V Oyx}. 

This is not in the Horn fragment of FOL, so beyond Prolog (except through 
Horn renaming; for the present example, a Horn renaming is a swap of O and 
-•O, and of G and -■G). In the tableau for this example, in Fig. 1, note that 
when the rule Gx Gy V Oyx is used for the second time, its variables are 
first renamed. The variable y gets distributed at the first tableau split, the 
variable y' at the second split. The tableau of Figure 1 closes, for the substitution 
{y' I— >■ a,y i— >■ b} closes every branch. This closing substitution is found by an 
attempt to merge closing substitutions of the individual branches. The branch 
constraints for which this works are boxed. Other possibilities fail. In particular, 
the substitution {y' i-T &, y i-T c} closes the middle branch all right, but it clashes 
with both substitutions that close the left hand branch, either on the y or on 
the y' value, and with the substitution that closes the rightmost branch on the 
y value. 
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4 Model Generation Examples 

No Positive Clause Present. Every clause set that contains no positive clauses 
is satisfiable in a model with a single object satisfying no atomic predicates. 
Example: a model for transitivity and irreflexivity. 

{Rxy A Ryz Rxy, -'Ruu}. 

No hyper tableau rule is applicable to such a clause set, so we get no further than 
the top node T. Since there are no skolem constants, we generate the Herbrand 
universe from c. This gives a single object with no properties. 

Disjunctively Satisfiable Constraints. Here is a tableau for the clause set {Rxy\/ 
Sxy, -<Rza, ~<Sub}: 




This tableau does not close, for the two substitutions disagree on the value for y. 
Or, put differently, the two constraints can be satisfied disjunctively. There are 
no further rule applications, so we have an open tableau. A model for the clause 
set is not generated by a single branch in this case, as the two branches share a 
constrained variable. The domain of a model generated from this tableau is the 
set of closed terms of the tableau, i.e., the set {a,b}. The set of groundings in 
this domain consists of = {x i-A a, y i— >■ a}, 02 = {x a,y b}, 6*3 = {x i-A 
b,y 1-^ a}, 64 = {x 1-^ b,y 1-^ b}. 01 satisfies only the right branch, so it generates 
the fact Saa. 6*2 satisfies only the left branch, so it generates the fact Rab. 0s 
satisfies only the right branch, so it generates the fact Sba. Finally, 04 satisfies 
only the left branch, so it generates the fact Rbb. The model is given by the set 
of facts {Saa, Rab, Sba, Rbb}. 

Infinitary Tableau Development. There are relations that are transitive and se- 
rial. The attempt to refute this combination of properties should lead to an 
open hyper tableau. In fact, the model that is generated for the clause set 
[Rxy A Ryz Rxz,Ruf{u)} is infinite. The step from Ruf{u) to Rwf{w), 
in Fig. 2 , is an application of Expand that generates an alphabetic variant. This 
agrees with the history condition, since there is a clause in the clause set with 
two negative R occurrences. The tableau will not close, and tableau development 
will not be stopped by the check on instantiations, for new instances of the rule 
Rxy A Ryz Rxz will keep turning up. The corresponding model is isomorphic 
to N, <. Although finite models for the clause set exist (a single reflexive point 




Constrained Hyper Tableaux 



241 



( ^uf{u^ 

Ruf{u) A Rf{u)f{f{u)) ^ Rufifiu)) 

I 

Rwf{w) A Rf{w)f{ f{ f{w))) ^ Rwfi fi fiw))) 

I 

C5^/(/(/(«0)^ 

Ruf{u) A -R/(ii)/(/(/(/(ii)))) =► Rufifififiu)))) 

I 



Fig. 2. Infrnitary Tableau Development 



also constitutes a model for this example) the calculus needs to be modified to 
generate them. For finite model generation, we need a slightly more sophisti- 
cated treatment of literals that introduce new skolem terms to a branch. This is 
beyond the scope of the present paper. 

Open Tableau; No Further Rules Applicable. In the tableau for clause set {Rxy 
Rxz V Rzy, Ruu}, given in Fig. 3, no further branch extensions are generated, 
as on all branches the next instance of Rxy Rxz V Rzy is a variant of an 
instance that has already been used on the branch. Generation of variants of 
the R predicate on a branch is spurious, because no clause in the clause set has 
more that a single negative occurrence of the R predicate. Note that variables are 
renamed in the second and the third application of the rule Rxy Rxz V Rzy. 
Since there are no skolem constants, we generate the Herbrand model from a 
fresh c. This gives a model consisting of a single reflexive point, from any of the 
branches. 



5 Soundness, Model Generation, Completeness 

An assignment a in a model M meets a constraint a if M \=a o. Let |-];^ give 
the term interpretation in the model with respect to a. Then we have: 

Theorem 1. M. \=a ct ijf there is a v £ dom (a) with a{v) yf 

The idea of the constraints is to forbid certain variable interpretations! 
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Fig. 3. No Further Applicable Rules 



An assignment a satisfies a branch JB of a tableau T in a model Ad if a meets 
all constraints on B, and Ad \=a L for all positive literals L on B. Notation: 
Ad \=a B. An assignment a satisfies a tableau T in a model Ad if a satisfies a 
branch of T. Notation: Ad \=a T. A tableau T is satisfiable if for some model Ad 
it is the case that all assignments a for Ad satisfy T in A4. Notation: Ad |= T. 

Theorem 2 (Satisfiability). If (p is a satisfiable set of clauses, then any 
tableau for <P is satisfiable. 

Proof. Let T be a tableau for (p. Since a tableau for ^ is a any tree grown 
from the seed T with the rule Expand, either there is a finite tableau sequence 
Ti, . . . , Tn = T, or there is an infinite sequence Ti, . . . , with T — 1J“;^ In 
any case, Ti consists of a single node T, and is constructed from Ti by an 
application of Expand. To prove by induction on n that a finite T is satisfiable, 
we have to check that satisfiability is preserved by each of these steps. Take 
some Ad with Ad |= Assume that Ad |= Tj, and T^+i is the result of applying 
Expand to Ti. Assume the branch to which Expand is applied is B, the clause 
is Bi A ■■■ A Bk Ai V • • • V Am, the branch literals used in the rule are 
C\, . . . , Cfc, the matching substitution is a, and the restriction of a to the rigid 
branch variables is 0. 

Consider an assignment a that satisfies Ti in Ad . In case a satisfies a branch 
different from B then the application of Expand will not affect this, and a will 
satisfy T^+i in Ad. Suppose, therefore, that a satisfies only B. We have to show 
that a satisfies at least one of the branch extensions, with Aicr, with . . . , with 
AmCr, or with 9. From Ad ^ ^ we get that 

Ad 1= Bi A ■■■ A Bk Ai V • • • V Am, 
and therefore, since Bia = Cia, 



Ai 1= Cia A ■ ■ ■ A Ck<J ^ Aicr V • • • V Am<J, 
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SO in particular 



■M \=a C'lCT A • • • A Ck(J Aia V • • • V Am(J. 

In case M \=a C\<j A • • • A Cfccr, it follows from the above that M \=a V 
• • • V AmU, and we are done. In case A4 ^q. Cicr A • • • A CkU we have to show 
that A4 \=a 6- In this case, there is an i with M \=a Ci and M Y=a Cia. Let 
assignment a' be given by a'{v) = |ncr]^. Then M \=a Ci and M Y=a' Ci- Thus 
Ai B, and by the satisfiability of Ti, there has to be a B' with Ai \=a' B' . 
Since B is the only branch with Ai \=a B, Ai B' . So there has to be a 
variable v that is both on B and B' with the property that a{v) yf a'{v). But 
this means that v G dom (ct) and v is rigid in Ti. It follows that v G dom (0), 
and that a does meet 0, i.e., Ai \=a &■ 

Satisfiability in Ai for an infinite T = '^i follows from the fact that 

satisfiability in AI is a universal property (it has the form ‘for all literals and all 
constraints on the branch ... ’), and is therefore by standard model-theoretic 
reasoning preserved under limit constructions. □ 



Theorem 3 (Merge). If a hyper tableau T closes by constraint merge, then T 
is not satisfiable. 

Proof. If T closes by constraint merge then there is a way to pick a finite initial 
stage T' of T, and pick constraints dy, . . . , dyf, one on each tableau branch of 
T' , such that cti □ • • • □ cr„ yf X. Thus, there is a ground substitution 9 with 
9 E CTi n • • • n cr„. Note that we can associate with each ground substitution 
an assignment in a model, as follows. If a is an assignment for Ai, and 9 is 
a ground substitution, then the assignment 9a is given by 9a{v) = 

Thus, for any model Ai and any assignment a for Ai it will be the case that 
Ai \= 0 a CTi n • • • n (T„. So for any Ai there is an assignment a' with Ai \=a' 
and . . . and Ai \=a' CTn, i.e., with Ai '^a' oT and . . . and Ai '^a' In other 
words, for any Ai there has to be an assignment that does not meet any of the 
constraints oT, . • . , dyf. □ 



Theorem 4 (Soundness). If there is a hyper tableau refutation for a clause 
set <P, then is unsatisfiable. 

Proof. Immediate from the Satisfiability Theorem and the Merge Theorem. □ 

A variable map 9 meets a constraint a if 9 r\ a = X; 9 is compatible with a 
branch B if 0 meets all constraints ct on B; 0 is compatible with a tableau T if 
9 is compatible with at least one branch B of T. 

Theorem 5 (Compatibility). If a tableau T is open, then every ground vari- 
able map 9 for vars(T) is compatible with T. 

Proof. Assume T consists of (open) branches {Bi}j>o. We have to show that 
every grounding is compatible with at least one B^. Suppose 6* is a grounding 
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for vars(T) that is not compatible with any B G T. Note that 6 need not be a 
substitution, as the set vars(T) may be infinite. Then for each of the Bi there 
is a constraint Wi on Bi such that aiFl 6 ^ X. Since 6 is grounding, aiFl 9 = 9, 
i.e., 9 C (7i. Since variable maps modulo renaming form a complete lattice under 
C, it follows that 9 C np>o)cri. Now, since any tableau is finitely branching, and 
since any constraint is at finite distance from the root of the tableau, by Konig’s 
lemma there has to be a finite set of constraints ai , . . . , with Vi > 0 3j < n 
such that Wj occurs on Bi. But then ui n • • • n (j„ yf X, and contradiction with 
the assumption that T is open. □ 



Theorem 6 (Model Generation). Every fair open tableau for <P has a model 
M. with Ai \= 

Proof. Since in a Herbrand universe groundings play the role of assignments, 
all we have to do to satisfy a tableau T in a Herbrand model is look at all 
the ground instances of the tableau. To generate a model from an open hyper 
tableau, proceed as follows. Pick an open bundle B, and consider groundings for 
B in Hj^. 

— If there is an unconstrained B G B, the set of all instances of the positive 
literals along B constitutes a model for the tableau. By the fairness of the 
tableau construction process, this model also satisfies 

— If all branches in B are constrained, then generate instances from ground- 

ings for B in H^, as follows. For every grounding 9 for B in H^, we can pick, 
according to the Compatibility Theorem, a branch B in B that is compat- 
ible with 9. Collect the ground instances of the positive literals of B. The 
union, for all groundings 9, of the sets of ground positive literals collected 
from branches compatible with 9, constitutes a model for the tableau. Again, 
by the fairness of the tableau construction process, the model also satisfies 
<P. □ 

Theorem 7 (Completeness). If a clause set is unsatisfiable, then there 
exists a hyper tableau refutation for I>. 

Proof. Immediate from the Model Generation Theorem. □ 

6 Fair Computation 

A tableau calculus is non-destructive if all tableaux that can be constructed with 
the help of its rules from a given tableau T contain T as an initial sub-tree [6]. 
The usual versions of free variable tableaux are all destructive. Clearly, the CHT 
calculus is non-destructive. A tableau calculus is proof confluent if every tableau 
for an unsatisfiable clause set <1 can be expanded to a closed tableau [6] . Again, 
it is clear that the CHT calculus is proof-confluent. 

Because of its non-destructiveness and proof-confluence, fair computation 
with constrained hyper tableaux is easy. We give a mere sketch. First apply 
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Expand to every all positive clause, on every branch. Next, use the list of positive 
literals on a branch to select the candidates from the clause set for a match. 
For a given P on the branch and candidate clause <f>, determine whether P needs 
to be copied for a match. If so, apply Expand again to generate the appropriate 
number of alphabetic variants. Next apply Expand to the mixed and the negative 
clauses. As the applications of Expand are non-destructive, no backtracking is 
ever needed in the merge check for closure. 

As one of the referees pointed out, there is scope for further redundancy tests. 
E.g., for the clause set {Pa, Pb, Px Q} we would get Q twice on the branch. 
This can be avoided by adding a check like ‘never expand a branch with a clause 
instance if it is already true in all models of the branch’. In the same spirit, if a 
branch is expanded with a literal A, but a proper instance Aa is already present, 
then Aa may be deleted from the branch, on condition of course that none of 
the variables in A are rigid. 

We are experimenting with an implementation of CHT reasoning in Haskell 
[7], with merge checks for closure performed on tableau branches represented as 
lazy lists. Since the method is essentially breadth- first, space consumption is an 
issue, and it remains to be seen what the practical merits of the approach are. 

7 Related Work 

The standard reference for free variable reasoning in first order tableaux is [3]. 
With the introduction of free variables in tableaux, easy model generation from 
open tableaux got lost. Working with variable constraints in the manner ex- 
plained above restores this delightful property of tableau reasoning. 

The research for this paper was sparked off by a suggestion from [4] to do 
tableau proof search by merging closing substitutions for tableau branches into 
a closing substitution for the whole tableau. This suggestion is worked out in 
[5]. The difference between that approach and the present one is that we use 
disunification constraints rather than unification constraints. In our approach, 
the negations of the substitutions that close a branch are viewed as constraints 
on branch satisfiability, and a tableau remains open along as there is no way 
to unify a list of constraints selected from each branch. Since this is done in a 
setting where open branches only contain positive literals, it is ensured that a 
constraint can never clash with a branch literal. 

The idea to enrich tableau branches with history lists for keeping track of 
the clause instances used in the construction of the branch is from [1]. As is 
mentioned there, this bookkeeping stratagem makes hyper tableaux a decision 
engine for satisfiability of the Bernays Schdnfinkel class (relational 3*V* sentences 
without equality). The clause form of such sentences may have skolem constants, 
but since there are no skolem functions, any clause has only a finite number of 
instances. Thus, the history conditions ensure that tableau developments for 
Bernays Schonfinkel sentences are always finite. 

One of the referees drew my attention to [8], an earlier proposal for handling 
rigid variables in a hyper tableau setting (with no variable constraints involved. 
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however), for which completeness unfortunately remained open. The present 
paper settles this issue. 

As far as I know, the idea to use constraints on the interpretation of rigid 
tableau variables for model generation from open free variable tableaux is new. 
This idea, by the way, applies to free variable tableau reasoning in general. 
Instead of using a closure rule that applies a most general unifying substitution 
a for A and -lA' to a whole tableau, generate the constraint 9, where 9 is the 
restriction of cr to the rigid variables of the current branch, and add a constraint 
merge for closure check: see [10] for details. 
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Abstract. We introduce a modal language L which is obtained from 
standard modal logic by adding the difference operator and modal oper- 
ators interpreted by boolean combinations and the converse of accessi- 
bility relations. It is proved that L has the same expressive power as the 
two-variable fragment FO^ of first-order logic but speaks less succinctly 
about relational structures: if the number of relations is bounded, then L- 
satisfiability is ExpTiME-complete but FO^ satisfiability is NExpTime- 
complete. We indicate that the relation between L and FO^ provides 
a general framework for comparing modal and temporal languages with 
first-order languages. 



1 Introduction 

Ever since it became common knowledge that many modal logics can be re- 
garded as fragments of first-order logics, the exploration of the relation between 
those two families of languages has been a major research topic: Kamp’s result 
[18] that modal logic with binary operators Since and Until has the same ex- 
pressive power as monadic first-order logic over structures like (N, <) and (M, <) 
was the starting point. Van Benthem [27,28] provided a systematic model the- 
oretic analysis of the relation between families of modal logics and predicate 
logics and Gabbay [10,9] extended Kamp’s result to a systematic investigation 
of the possibilities of designing expressively complete modal logics. As part of 
his investigation Gabbay made the basic observation that often modal languages 
are contained in finite variable fragments of first-order logics. The basic modal 
language with unary operators only, for example, lies embedded even in the two- 
variable fragment FO^ of first-order logic. In the early 1990s, this observation 
was regarded as an explanation for the decidability of many modal logics: the 
decidability of FO^ (cf. [22,24,14]) explains the decidability of standard modal 
logics simply because they are contained in it.^ The situation is different as soon 
as our concern is computational complexity: while most standard modal logics 

^ More recently it has been argued that some “modal phenomena” are better explained 
by their tree-model-property [29] (i.e., they are determined by tree-like structures) 
and/or by embedding them in bounded (or gnarded) fragments of first-order logic 
[1,13]. The logics we consider here do not have those properties. 
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are decidable in ExpTime or even PSpace and NP (see e.g. [19,2,26]), the two- 
variable fragment is NExpTiME-complete [14]. A question naturally arising is 
why modal logics, in general, are of a lower complexity than the two- variable frag- 
ment. It is worth noting that this phenomenon is not due to the fact that modal 
logics have a fixed number of modal operators (alias accessibility relations inter- 
preting them), whereas the two- variable fragments allows for arbitrarily many 
binary relations: Even without relation symbols of arity > 1, the two- variable 
fragment is NExpTiME-hard [8,3]. There are two possible explanations for this 
phenomenon: 

1. Explanation: any “standard modal logic” contained in FO^ has strictly less 
expressive power than FO^ itself, or 

2. Explanation: although the expressive power of the two-variable logic coincides 
with the expressive power of a standard modal logic, the way it speaks about 
relational structures is strictly more succinct than the way modal languages do. 

The main contribution of this paper is to show that (2.) is the case: to this end, 
we define a natural modal logic E, prove that it has the same expressive power as 
FO^, and show that, as soon as we allow for a bounded number of relation sym- 
bols only, L-satisfiability is only ExpTiME-complete. The logic L extends basic 
multi-modal logic by means of taking the closure under forming (1) Boolean 
combinations of accessibility relations (2) the converse of accessibility relations, 
and (3) the identity relation. All those ingredients have been investigated and 
applied intensively: see [11,17,20] for (1), [5,12,31] for (2), and [6] for (3). Hence 
L can certainly be regarded as a standard member of the modal family. 

The usefulness of our result, i.e., the expressive completeness of L for FO^, 
is demonstrated by showing that it provides a general framework for comparing 
the expressive power and complexity of modal and first-order logic. For example, 
as soon as our concern are weak temporal logics (with the operators ‘always in 
the future’ and ‘always in the past’ only) interpreted over strict linear orderings, 
the Boolean operations and the identity relation become definable, which means 
that weak temporal logics have the same expressive power as FO^ over strict 
linear orderings (and without further binary relation symbols). For the strict 
linear ordering (N, <), this was first proved in [7]. In this case the complexity- 
gap is even wider: Over (N, <), weak temporal logic is in NP [25] while FO^ 
is NExpTiME-complete [7,15]. In the present paper we show that this holds for 
(Q, <) and (M, <) as well. 

2 Expressivity 

We start with definitions of the languages under consideration. FO^ comprises 
exactly those first-order formulas without constants and function symbols but 
with equality whose only variables are x and y and whose relation symbols have 
arity < 2. The unary predicates are denoted by Pi,... while the binary ones 
are Ri, ... . For m < co we denote by FO^ the fragment of FO^ consisting of 
formulas containing only the first m binary relations. FO^ is interpreted in the 
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standard manner in structures of the form {W, Vi, . . . , TZi, . . .) in which the Vi 
interpret the Pi and the TZi interpret the Ri. 

The modal language is Boolean modal logic [11,20] enriched 

with a converse constructor and the identity relation. 

Definition 1. A complex modal parameter is an expression built up from 
atomic modal parameters Ri,..., the identity parameter id, and the operators 
and For m < oj we denote by the modal language 

defined inductively as follows: 

— all propositional variables Pi,P 2 , ■ ■ ■ belong to ; 

— if ip, if € and S is a complex modal parameter built from the 

first m atomic modal parameters R\, . . . , Rm and id, then ->if, p A ip, and 
{S) p belong to . 

We abbreviate T = pi V -■pi and _L = -iT. The box operator [S'jp and other 
Boolean connectives are defined as abbreviations in the standard manner. 

A Kripke-model is a structure M = (IF, 7t,7^i, . . . ,) in which tt associates 
with every variable p a subset 7r(p) of W. Let S' be a (possibly complex) modal 
parameter. Then the extension £(S) is inductively defined as follows: 



if S = Ri (i.e., S is atomic) 
if S = id 
if S = -S' 
if S = Si n S2 
if S = Sf 



then S(S) = TZi 

then £(S) = {(w,w) \w & W} 

then £{S) = {WxW)\ S(S') 

thenS(S) = S(Si)nS(S2) 

then £{S) = {(w,w') \ (w',w) G S(Si)} 



The semantics of formulas is defined inductively in the standard way, e.g. for the 
diamond operator we have 



M,w \= (S) p iff dw' G W with (w, w') G £(S) and M,w' \= p 

Given a Kripke-model AA = {W,tt,TZi, . . .), define a corresponding first-order 
model Ma = {W,V\, . . . ,TZ\, . . .) by setting Vi = 7r(pi). 

We start our investigation of the relationship between FO"^ and 
by showing that these logics are equally expressive. If we write p(x), p{y) for 
formulas, we assume that at most the displayed variable occurs free in p. 

Theorem 1 (Expressive completeness for 2- variable-logic). For every 
p G there exists a formula p^{x) G FO^ whose length is lin- 

ear in the length of p such that the following holds for all Kripke-models A4 and 
all a G W: 

A4,a 1= p 4^ Mo- H 

Conversely, given p{x) G FO^ there exists a formula p‘^^ G whose 

length is exponential in the length of p such that the following holds for all 
Kripke-models A4 and all a £ W : 



M,a\= p’^“ Adcr 1= p[a). 
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Proof. The proof of the first claim is standard [27,28], so we concentrate on the 
second one, whose proof is rather similar to the proof provided in [7] for temporal 
logics. 

An AO^-formula p{x,y) is called a binary atom if it is an atom of the form 
Ri{x,y), Ri{y,x), or x = y. A binary type t for a formula ^ is a set of FO^- 
formulas containing (i) either x or -<x for each binary atom y occurring in ip, 
(ii) either x = y or x ^ y, and (iii) no other formulas than these. The set of 
binary types for ip is denoted by Tip. A formula ^ is called a unary atom if it is 
of the form Ri{x,x), Ri{y,y), Ai{x), or Ai{y). 

Let <p{x) G FO"^. We assume p{x) is built using 3, A, and -■ only. We 
inductively define two mappings and where the former one takes each 
FO^-formula p{x) to the corresponding Af£[]]’^’^’“’*'^-formula and the lat- 
ter does the same for FO^-formulas p{y). We only give the details of since 
is defined analogously by switching the roles of x and y. 

Case 1. If p{x) = Pi{x), then put (p{x))'^^ = pi. 

Case 2. If p{x) = Ri{x, x), then put (p(x))^^ = {id fl Ri) T. 

Case 3. If p{x) = Xi A X 2 , then put, recursively, {ip{x)Y^ = A X 2 *- 

Case 4- If p{x) = -'Xj then put, recursively, (p{x))'^^ = “'(x)'^*- 

Case 5. If p{x) = 3yx(x,y), then xi^^u) can clearly be written as 



X{x,y) =x[pi,... ,pr,xi{x),... ,7i(x),^i(y),... ,5s(y)]. 



i.e., as a Boolean combination 7 of pi, ji(x), and ^i(y); the pi are binary atoms; 
the ji(x) are unary atoms or of the form 3yj'; and the fi(y) are unary atoms 
or of the form 3xf{. We may assume that x occurs free in p(x). Our first step is 
to move all formulas without a free variable y out of the scope of 3: obviously, 
p{x) is equivalent to 

V (A {li ^ wf) ^3yx{pl, . . . ,Pr,wi,... ( 1 ) 

,tOf)G{T._L}« r<i<i 

For every binary type t G TZ^p and binary atom a from p, we have t ^ a or 
t ^ -la — hence we can “guess” a binary type t and then replace all binary 
atoms by either true or false. For t G TZ^, let pj = T if t \= pi, and p- = T, 
otherwise. Then p{x) is equivalent to 

V (idi,... ,Lt)^)e{T,_L}^ {/\l<i<e{li "CA Wi) A 

VtG7?,^3y((AaGt“) - ,pA^i,... ,W/,Ci,... ,^s)))- 

Define, for every negated and unnegated binary atom a, a complex modal pa- 
rameter as follows: 

(x = y)'^^ = id {-'{x = y)Y‘^ = -'id 
{Ri{x,y)Y^ = Ri YRi{x,y)Y" = ~^Ri 
{Ri{y,x)Y^ = Rf YRi{y,x)Y^ = ~^Rf ■ 
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Put, for every binary type t G TZ^, compute, recursively, 

and and define as 

(wi,... ,we}e{T,±}': l<i<i 



Note that can be computed in polynomial time in the length of We 
should like to stress that the existence of formalisms with some ‘modal flavour’ 
and the same expressive power as FO^ is known [4,10]. However, these for- 
malisms have a number of purely technical constructs which did not find ap- 
plications in modal or description logic. In [4], for example, Borgida constructs 
a counterpart L' of FO^ in which accessibility relations TZ can be defined as 
products of extensions of formulas: for any two formulas ^> 1,^2 one can form 
TZ = {w £ W : w ^(pi}x{t(;G W : w \= <^ 2 }- The expressive completeness 
result for L' becomes rather straightforward. In fact, the translation provided 
by Borgida is polynomial so that L' is speaking about relational structures as 
succinctly as FO'^ does. 

3 Complexity 

We show that, for 0 < m < w, A4£[]]’'^’^’“’*‘^-satisfiability is ExpTiME-complete 
and hence in a lower complexity class than EO^-satisfiability which is known 
to be NExpTiME-complete [14].^ Together with the expressivity result obtained 
in the previous section, this shows that FO^ speaks about relational structures 
more succinctly than does (if ExpTime yf NExpTime, to be pre- 

cise). The ExpTime lower bound for AI£)])’'^’^’~’*'^-satisfiability is an immediate 
consequence of the fact that is ExpTiME-hard even if m = 1 [20]. Hence, 

we concentrate on the upper bound. It is established by first (polynomially) re- 
ducing AI£[]!;'^’^’“’*‘‘*-satisfiability to a certain variant of AI£^*‘^-satisfiability — 
is multi-modal K enriched with the difference modality [6] — and then 
showing that this variant of AI£^*'^-satisfiability can be decided in ExpTime. 

3.1 Reducing to 

In this section, we generally assume that 0 < m < co. The following languages 
are used in the reduction: 

Definition 2 (Languages). (1) By n we denote the modal language 

with k = 2s + t + n modal parameters 

‘P={Xi,... ,X„/i,... ,C,Xi,... ,W,Ti,... ,Tn} 

^ Throughout this paper, we assume that ExpTime is defined as Ufc>oDTIME(2" ) 
and NExpTime as Ufc>oNTIME(2"*'). 
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and the difference modality (d), where d is an abbreviation for -'id. 

(2) is with negation of modal parameters re- 

stricted to atomic modal parameters and without union of modal parameters. 

(3) By „ we denote the modal language with converse and k = 

s -\-t-\- n modal parameters Ki, . . . , Ks, Xi, . . . , Xt,Yi, . . . ,Yn. 

Definition 3 (Semantics). A structure 
is called a c-frame iff 

1. the relations ICi are irrefiexive and antisymmetric, 

2. the relations Xi are irrefiexive and symmetric, 

3. the relations 3^^ are subsets of {{w,w) \ w G W}, 

4-. for all w,w' €W with w w' , there exists a unique 

such that {w,w') € S, and 

5. for each w G W, there exists a unique i with 1 <i <n such that {w, w) G 

where is used to denote the converse of a binary relation TZi. An 
formula is called c-satisfiable iff it has a model which is based on a c-frame. Such 
a model is called a c-model. 

A structure M = {W,Xi, . . . . . ,Is,Xi, . . . ,Xt,yi, . . . ,yn) is called 

an s-frame iff there exists a c-frame 

M' = {w, K\,...ic',,x[,...,xiy[,..., y'ff) 

such that Xi C /C', Ij C , Xi C X[, and yi C An formula is 

called s-satisfiable iff it is satisfiable in a model based on an s-frame. Such a 
model is called an s-model. 

A literal is a modal parameter that matches one of the following descriptions: 

— an atomic parameter or the negation thereof, 

— the inverse of an atomic parameter or the negation thereof, 

— the identity parameter or the negation of the identity parameter. 

The reduction is comprised of a series of polynomial reduction steps. Let be a 
Af ^ “ ’*'^-formula. 

Step 1. Exhaustively apply the following rewrite rules to modal parameters in p: 

{-.S)~ -(S'-) (Si U Sa)- Sf U Sf id- id 

S— ^S (Si n Sa)- Sf n Sf -^id~ ^ -^id 

In the resulting formula pi, all modal parameters are Boolean combinations of 
literals. 

Step 2. Convert all modal parameters in pi to disjunctive normal form over 
literals using a truth table (as, e.g., described in [23], page 20). If the “empty 
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disjunction” is obtained when converting a modal parameter S, then replace 
every occurrence of (S)'ip with _L. Call the result of the conversion (p 2 - The 
conversion can be done in linear time since the number m of atomic modal and 
we use a truth table for the conversion (instead of applying equivalences). It is 
easy to see that (p 2 is satisfiable iff (pi is satisfiable. Since the conversion to DNF 
was done using a truth table, each disjunct occurring in a modal parameter in 
(fi 2 is a relational type, i.e., of the form S'o fl S'! fl • • • fl Sm H fl • • • fl where 

1. Sq = id or Sq = -'id, 

2. Si = Ri or Si = -<Ri for 1 < t < m, and 

3. S[ = R~ or S'' = ~'{R~) for 1 < z < m. 

Let IV be the set of all relational types with Sq = id, be the set of all 
relational types with So = ~<id, and T = T= U . 

Step 3. We reduce satisfiability of AI£))j’'^’^’“’"^-formulas of the form of (p 2 (i.e, 
the modal parameters are disjunctions of relational types) to the satisfiability 
of AI£^^’'^’~’"^-formulas in which all modal parameters are relational types. As 
the first step, recursively apply the following substitution to t /?2 from the inside 
to the outside (i.e., no union on modal parameters occurs in ip) 

(Si U • • • U Sfe) (Si) V • • • V (Sfc) p^ 

where Pcp is a new propositional variable. Call the result of these substitutions 
P 2 - Secondly, define 

V33 := -^2^ /\ /\[S]{p<p ^ 

Ptp occurs in (p '2 SgF 

P 3 is an AI£^^’'^’~’"'*-formula as required.^ Furthermore, p 2 is satisfiable iff ps 
is satisfiable, and the reduction is linear. 

Step It is not hard to see that the set Fp (from Step 3) can be partitioned 
into three sets F^, F^, and such that there exists a bijection F from F^ onto 
F^ and, for every Kripke structure Ai with set of worlds W, and w,w' € W, 
the following holds: 

1. for all S G T^: M, {w, w') |= S' iff Ai, {w' , ic) ^ S and 

2. forallSGT^:7W,(z(;,u>') h -S' iff 7W, K, F{S). 

Given this, it is easy to reduce satisfiability of AI£^^’'^’“’''^-formulas of the 
form of (/?3 to c-satisfiability of ^-formulas, where s = |T^|, t = |F^|, and 

n = |F=|. Let r be some bijection between F^ and the set {Hi, . . . , Kg}, r' some 
bijection between F^ and the set |Ai, . . . , At}, and r" some bijection between 
IV and the set {Yi, . . . ,Y„}. The formula p 4 is obtained from by replacing 

® We use Asgrl-SKPvj ^ f) instead of the more natural [R]{p^ p) A [-'R]{p,p -O- p) 
(for some atomic R) to ensure that all modal parameters in p^ are still relational 
types after the application of Step 3. 
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(1.) each element S of that appears in ips with r{S), (2.) each element S of 
with r{S)~, (3.) each element S of F^ with r'(S'), and (4.) each element S 
of rU with r”{S). It can be proved that ips is satisfiable iff (p 4 is c-satisfiable. 
Furthermore, the reduction is obviously linear. 

Step 5. We reduce c-satisfiability of ^-formulas to s-satisfiability of 

AI£g*/„-formulas. W.l.o.g., we assume that does not contain modal parame- 
ters of the form X~ and Y~ : since these parameters are interpreted by symmet- 
ric relations, X~ (resp. Y~) can be replaced by Xi (resp. Yi). For y G 
(without X~ and Y~), denote by y* G the formula obtained from y by 

replacing all occurrences of K~ with li. 

For each S' G fp (see Definition 2), we use S'" to denote (i) li ii S = Ki, (ii) 
Ki'\iS = Ii, (iii) Xi if S = Xi, and (iv) if S = Yi. For convenience, we define 
two more sets 

= {Xi,...,X„/i,...,J„Xi,...,Xj and ^2 = {Yi, ■ ■ ■ ,Yn}. 

Define as the conjunction of with all formulas tI A where tI can be 
obtained from the following formulas by replacing if) and all ips with subformulas 
of (f\. 



Xi := ( A ^ ( V ^■ 5 ) 

X 2 := A !\ips A ^ V 

vcvpi 56-p se-p seqJiVP se<Pi\v 

X3 := A ^ ^ 

564? 

Obviously, is an (‘*„-formula. The formula yi deals with Item 5 from 
the definition of c-frames, \2 with Item 4, and \3 with symmetry from Item 2 
and with the semantics of the converse operator. Note that the length of ip^ is 
polynomial in the length \pi\ of p 4 since the set of modal parameters is fixed. 

Lemma 1. is c-satisfiable iff p 5 is s- satisfiable. 

Proof: The “only if” direction is straightforward: Let 

M = {w,TT,Xi,...,Xs,Xi,...,Xt,yi,...,yn) 

be a c-model for p 4 . It is readily checked that 

M' = {w,n,Xi,...,x„Xf\...,xj\x4,...,Xt,yu...,yn) 

is an s-frame and that the d formulas from above are true in M' . Hence, by the 
semantics of converse, Ai' is obviously a model for p^. 

It remains to prove the “if” direction. Let 



M = {W,n,X4,...,Xs,Fi,...,Fs,Xi,...,Xt,yi,...,yn) 
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be an s-model for In particular, this implies that all formulas derived from 
Xi to X 3 &re true in Ai. Before we construct the c-model for (^ 4 , we prove two 
claims: 

Claim 1. For each w,w' G W with w ^ w' , there exists an S' G fPi such that, 
for all subformulas f/’ of (/? 4 , we have that M,w ^ {S)ip implies A4,w' ijj and 
M,w' ^ implies M,w ^ "ip- 

Proof: Assume that the claim does not hold. Fix w,w' G W with w ^ w' that 
do not have the property from the claim. This means that, for each S G 

(i) there is a subformula tpg of <p\ such that M,w \= [SJ-if/'.S and M,w' ^ V's 
or 

(ii) there is a subformula f/'l of ip\ such that M,w' \= [S'"]~'tpg and M,w \= ipg. 

Let P be the subset of fPi such that S G P iff S satisfies (i) and let tps = V's if 
S GV and 'f’s = f’s otherwise. Let d be the instantiation of \2 with V and the 
ips-'^ Since all formulas derived from X 2 are true in Ai, we have Ai,w ^ r?. It is 
straightforward to verify that this is a contradiction to the properties of the ips 
as stated under (i) and (ii). □ 

Claim 2. For each w G W, there exists an S' G ^2 such that, for all subformulas 
of pX, we have that Ai,w \= [SJ^/: implies Ai,w \= 'f- 

Proof: Similar to the previous claim, only simpler using in place of X 2 - Q 

Construct a Kripke model Ai' = {W,n, IC'i, . . . ,IC^, , Xp,y[, . . . ,y'^) as 

follows: Initially, set /C' := JCi := Xi U X~^ , and y[ := Then, 

augment the relations as follows: 

1. For each w,w' G W with w yf w', if 

U U u 

l<i<s 

then choose an S G iPi as in Claim 1 and set 

~ /C' := /C' U {(w, ru')} if S' = Ki, 

— K'i := IC'i U {(w^ic)} if S = Ii, and 
- X( := X'i U {{w, w'), {w', w)} if S = Xi. 

2. For each w G W, if {w, w) ^ Ui<i<n X ffi®n choose a G ^^2 as in Claim 2 
and set y- := y' U {(w,rc)}. 

It is not hard to check that A4' is a c-model, i.e., that the properties from 
Definition 2 are satisfied. It hence remains to prove that 

Ai, w \= Ip* iS Ai' , w\= 

for all subformulas ip oi p 4 .. The proof is by a straightforward induction and can 
be found in the full version of this paper [21]. Since is a model for we 
have that AI' is a model for □ 



For the cases V — % and P — *Pi, we assume that the “empty” conjunction is 
equivalent to T and the “empty” disjunction equivalent to T. 
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3.2 An ExpTime upper Bound for 

We show that s-satisfiability of Af £s_('^„-formulas can be decided in deterministic 
exponential time. Consider an */„-formula (p with modal parameters from 
{d}UfPiUfP 2 as defined above. Denote by cl(v3) the closure under single negation 
of the set of all subformulas of p. In what follows we identify -i-i'i/; with ip. A 
(^-type t is a subset of cl((p) with 

— -ix G t iff X ^ t, for all -ix G cl((p); 

— Xi A X 2 G t iff xi,X2 G t, for all Xi A X 2 G c\{p). 

Given a world ic in a model, the set of formulas in cl(i^) which are realized in w 
is a ((p-)type. We use the following notation: 

— for i? G ip we write ti t 2 iff {-'X | “■ {R) X G ti} C t 2 ; 

— a (^-type t is called a x-singleton type if {x, “■ (d) \} P= t- 

Intuitively, singleton types are types which cannot be realized by two different 
worlds in a model. A candidate for is a maximal set (w.r.t. C) 'T of (/9-types 
with the following properties: 

(Cl) for all t G T: if (Li) Xi G t and (Y,) X 2 G t, then i = j; 

(C2) for all t G T: if for some i < n, (Yi) x G t, then t — >-y. t and 

{X I {Y-i) X G t} C t; 

(C3) if T contains a x-singleton type t, then -ly G t', for all t' G T — {t}, 

(C4) for every (d) x G c\{p) and t, t' G T: -■x, -■ (f^) X G t iff -.y, -• (d) X G t'. 

Intuitively, (Cl) says that it suffices to add at most a single reffexive edge Yi to 
each world of type t which is necessary since we are heading for s- models. By 
(C2), for each (yj)-formula in t we find a witness in t itself. (C3) states that, for 
every (d) y G cl(i^), T does not contain more than one y-singleton type (C3). 
(C4) should be obvious by the semantics of (d). We have an exponential upper 
bound of = 2*^1 for the number of candidates (see [21]). 

A relational candidate is a triple (T, T, T) consisting of 

— a candidate T for p\ 

— a function A : {1, . . . , fc} — >■ 7)v with k < |cl(i^)p (in what follows we often 
use A={(1,A(1)),... ,(fc,A(A:))}); 

— and a function I mapping each modal parameter i? G fp to a relation 

C (7s U A) X (7s U A) such that 

(Rl) (Ts U A, {R^ : i? G fp)) is an s- frame; 

(R2) for all R € m,m' < k and types t, t': if ti?^t', t'), (m, t)i?^t', 

or (m, t)i?^(m',t'), then t t'; 

(R3) for all i? G ip, (R) X G cl((/9), and t € Ts with (R) y G t we find t' G 7s 
with ti?^t' and y G t' or we find (m,t') G T with ti?^(m,t') and y G t'; 
(R4) for all i? G fP 2 and (m,t) G A, if (i?) y G t, then (m, t)i?^(m, t). 




Modal Logic and the Two-Variable Fragment 257 



Intuitively, 7s is the set of worlds realizing singleton types, T is the set of worlds 
providing witnesses for diamond formulas in singleton types, and X fixes the 
extension of the modal parameters on 7s Note that T need not contain more 
than |cl((p)p worlds since each candidate contains at most |cl((/?)| singleton types 
(one for each (d) y G cl((^), see above) and each type may contain at most |cl((^)| 
diamond formulas. (R2) ensures that the relations fixed satisfy all box formulas. 
(R3) guarantees that diamond-formulas in t G 7s with parameters i? G ip have 
witnesses in 7s U IF. And (R4) says that relations from ‘^2 are interpreted by 
X as enforced by the diamond formulas. We need not consider types from 7s 
in (R4) since the corresponding claim already follows from (Rl) and (R3). The 
number of relational candidates is bounded by • | [21]. 

Our algorithm enumerates all (exponentially many) relational candidates and 
performs, for each such candidate, an elimination procedure that checks whether 
the candidate under consideration induces a model or not. Concerning the enu- 
meration of relational candidates, note that it can be checked in polynomial 
time whether some X defines an s-frame as required by (Rl) above: It is tedious 
but straightforward to write down explicit conditions that determine s-frames. 
We now describe the elimination procedure. Inituitively, we remove those non- 
singleton types whose diamond formulas are not witnessed: for a given relational 
candidate (T, T, X) we can form a sequence T = To 3 7i 3 • • • inductively 
as follows: put To = T- Suppose T is defined. Then delete non-singleton types 
t G 7) which are not in the range of T whenever 

(El) there are no pairwise disjoint relations XT' C {t} x 7s for all i? G iPi, such 
that (i) t — t' whenever ti?^t', and (ii) for all (i?) x G t, i? G fPi, there 
exists t' with ti?^t' and x G or there exists t' G 7) — 7s with t — t' and 
X G t', or 

(E2) there is (d) x G t but no t' G 7) with x G t' 

and denote the result by 7i-i-i. Clearly, T = Ti-i-i after at most 2l rounds. We 
denote the result of the elimination procedure started on T with T ■ Obviously, 
for each non-singleton type t in 7^ which is not in the range of T ^ each diamond 
formula in t is witnessed by some type in T such that at most one “edge” from 
t to any t' G 7s is required (this is crucial for building s-models) . Together with 
(R3), (C2), and (R4), this implies that the only diamond formulas not witnessed 
in T are either (i?)-formulas in types from the range of T with R G {d} U fPi, 
or are (d)-formulas in types from 7s. Since we are building s-models, we must 
be careful choosing singleton types as witnesses for these formulas: 

Lemma 2. Lp is s-satisfiable iff there exists a relational candidate {T,T,X) such 
that (t,T,X^ has the following properties: 

— there exists t G T with G t, 

— for every (m, t) G IF and all (R) x G t with R G ^ 1 : (i) there exists t' G T—Ts 
with t — t' and x G t' or (ii) there exists t' G 7s with (m, t)i?^t' and x G t'. 

— for every (m, t) G T and (d) x G t we find t' G T with x G t'. 

— for every t G 7s and (d) x G t we find a t' G T with t yf t' such that x G t'. 
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Proof. Suppose (p is s-satisfiable. Take a witness . . . ,TZk). Let, for 

w e w, 

t{w) = {x G cl(v3) I W h x}, 

and T = {t{w) \ w &W}. Due to the semantics of the modal operator (d), for 
each singleton type t G T, we find precisely one Wi with t(ix;t) = t. Select, for 
each singleton type t G T and each {R) x G t, i? G fPi, a world ^ ^ 

such that x x H X- Let vi, . . . , be an enumeration of those 

Vt,{R)x which t(wt,(/j)x) is not a singleton-type and put 

T = {(t,t(tii)) I 1 < z < r}. 

Note that r < |cl((/?)p. Let, for G 7s and i? G fp: 

{ wfllvm ■■ X = t,y = (m,t'), 

VmRwt ■ X = (m,t'),y = t, 

Wtliwt' : X = t,y = t , 

VnTlvm ■ X = (n,t),y = (m,t'). 

Now take a candidate S T {T itself may violate the maximality condition) 
containing precisely the singleton types from R, and I and T as defined above. 
It is easy to see that the elimination procedure applied to {S,T,X) terminates 
with a structure satisfying the four properties in Lemma 2. 

Conversely, suppose the elimination procedure terminates with (7^, T , X) that 
satisfies all four conditions in Lemma 2. We define an s-model satisfying tp as 
follows: W consists of 7s U 7^ and the set W$ of finite sequences 



(tio ? ’ ^*1 ■) Ri\ 7 • 



■ • > fife )) 



where t^^. G T/v? Rij G and fc > 0. 

Note that adding the paths from Ws instead of elements of Tlv to 7s U 7^ 
allows us to make sure that the same type reached via different paths yields 
different worlds. Like in standard unravelling, a path represents its last element, 
and will therefore be interpreted according to its last type. So, define a valuation 
7T into W as follows: 

{ p G X : X €Ts, 

p G t : X = (m, t) G R, 

P G . X (t^Q , Riq , t^,, , Ri^ 1 • • • 1 tzfe ) G LLs 



It remains to define the relational structure of our s-model. Intuitively, we start 
with the relational structure provided by X and then, for i? G fPi and each non- 
singleton type t G Ttv which is not in the range ran{R) of R, take R^ C {t} x 7s 
supplied by (El). For every non-singleton type t G ran{R), take an rrit with 
R{mx) = t. Define, for x,y GW and R G 



xR^y 



xTZy < 



ti„ ~^R 

U^R^t 



x,p G 7s U7^, 

X (zZZ, t) , p (tjp , . . . , Ri^_^ , t^^ ^ ^ R Rif^_i 5 

— (■ ■ ■ ) \y — (■ ■ ■ ; , Ri^ , ti„^j ), R = Ri ^ , 
x= (bo,... = t G 7s,tij, Gran{R), 

x= (bo,... = t G 7s,tij, ^ran{R). 
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Define, for x,y GW and R G ^ 2 ' 



xTZy 



xR^y 
(R) Ip G 



x,y gTs^ 

^ y (^io ; ■ ■ • ? ^ik-i 5 ^ ^^S- 



It is left to the reader to check that {W, n,{TZ : R G ^P)) is an s-model satis- 
fying (p. □ 



Obviously, the conditions listed in Lemma 2 can be checked in exponential time 
and we have obtained an ExpTime upper bound for AI£7*/n“®^ti®f^^bility. The 
reduction of to given in Section 3.1 immediately yields 

an ExpTime upper bound for the satisfiability of A^£^’'^’^’“’*‘^-formulas. 

Theorem 2. For Q < m < u>, satisfiability of -formulas is 

ExpTiME-compZete. 

Note that, for m = to, satisfiability of AI£^’'^’^’~’*'^-formulas is NExpTime- 
complete: In [20], it is proved that satisfiability in is NExpTiME-hard 

and the upper bound follows from Theorem 1 and the NExpTime upper bound 
for FO^. So, in the modal language, the complexity depends on whether we have 
a bounded number of accessibility relations or not, while FO^ does not “feel” 
this difference. 



4 The Temporal Case 

We briefly indicate that the expressive completeness result presented in this 
paper provides a general framework for comparing the expressivity of modal 
languages with first-order languages. 

Fix a class /C of frames of the form ^ = {W, TZi, . . . , TZm)- Denote by the 
mapping which determines the extension of any complex modal parameter in 
A set S of complex modal parameters over {i?i, . . . , R^, id} is called exhaustive 
for K. if for every complex modal parameter S, such that there exists ^ G 1C with 
£^{S) yf 0, we find Si, . . . , Sk G S such that £^{S) = £^{Si U • • • U Sk) for all 
^ G tC. Denote by M£{S) the modal language with operators (S), S G S. 

Theorem 3. Let 1C he a class of frames and S a set of complex modal parameters 
which is exhaustive for 1C. Then A4C{S) is expressively complete for the two- 
variable fragment over 1C; i.e., for every p G FO^ we find a G AiL{S) such 
that for all M = (IF, tt, TZi , . . . , TZm) with (IF, TZi , . . . , TZm) G 1C and all a G W: 

M, a \= Ma 1= <p{a). 

Moreover, given ip the formula is exponential in the size of p and can he 
computed in polynomial time in the size of p’^ . 

The proof of this theorem is similar to the proof of Theorem 1. We provide two 
examples from temporal logic: 
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(i) Let /C be a class of strict linear orderings {W,TZ). Then S = {R,R~,id} 
is exhaustive for /C. Hence, M.C{S) is expressively complete for the two- variable 
fragment over /C. It is not hard to see that any A^£(iS)-formula ip can be trans- 
lated into an equivalent MC{{R, i?“})-formula whose length is linear in the 
length of ip. In other words, the language of temporal logic with operators ‘al- 
ways in the future’ and ‘always in the past’ [5,12] is expressively complete for 
the two- variable fragment over any class of strict linear orderings. 

(ii) Consider again a class /C of strict linear orderings {W,TZ). Let, for every 

U = (IL, R) G 1C, 3nt{^) — . . . , R 13 ), where is the set of intervals 

in S’ and TZi, . . . , TI 13 is the list of Allen’s relations over I(S)- S = {Ri , . . . , A 13 } 
is exhaustive for {fJnt(S) | S G Af} and so M£{S) is expressively complete for 
{fJnt(S) I S G 1C}. This interval-based temporal logic was introduced in [16]. 

Using (i), we obtain the following complexity result for the two- variable frag- 
ment interpreted in strict linear orderings: 

Theorem 4. Suppose 1C is a class of strict linear orderings such that satisfiabil- 
ity of temporal propositional formulas with operators ‘always in the future’ and 
‘always in the past’ in JC is in NP and JC contains an infinite ordering. Then 
satisfiability of FO^ with one binary relation interpreted by the strict linear or- 
dering is NExpTiME-compZete. 

Proof. NExpTiME-hardness follows from the condition that K. contains an infi- 
nite structure and that FO^ without binary relation symbols is NExpTiME-hard 
already. Conversely, the following algorithm is in NExpTime: given ( p , compute 
(in exponential time) and check whether is satisfiable in 1C. □ 

This Theorem applies to e.g. (i) the class of all strict linear orderings, (ii) 
{(N, <)}, (iii) {(Q, <)}, and (iv) {(M, <)}, see [25,30]. 
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Abstract. In classical approaches to knowledge representation, reason- 
ers are assumed to derive all the logical consequences of their knowledge 
base. As a result, reasoning in the first-order case is only semi-decidable. 
Even in the restricted case of finite universes of discourse, reasoning 
remains inherently intractable, as the reasoner has to deal with two in- 
dependent sources of complexity: unbounded chaining and unbounded 
quantification. The purpose of this study is to handle these difficulties in 
a logic-oriented framework based on the paradigm of approximate rea- 
soning. The logic is semantically founded on the notion of resource, an 
accuracy measure, which controls at the same time the two barriers of 
complexity. Moreover, a stepwise technique is included for improving ap- 
proximations. Finally, both sound approximations and complete ones are 
covered. Based on the logic, we develop an approximation algorithm with 
a simple modification of classical instance-based theorem provers. The 
procedure yields approximate proofs whose precision increases as the rea- 
soner has more resources at her disposal. The algorithm is interruptible, 
improvable, dual, and can be exploited for anytime computation. More- 
over, the algorithm is flexible enough to be used with a wide range of 
propositional satisfiability methods. 

Keywords: approximate reasoning, first-order logic, multi-modal logics, 
resource- bounded algorithms. 



1 Introduction 

A widely accepted framework for studying intelligent agents is the knowledge 
representation approach. Knowledge is described is some logical formalism and 
stored into a knowledge base. This component is coupled with an inference algo- 
rithm, the reasoner, which determines whether a given query is entailed from the 
knowledge base. One of the main challenges of knowledge representation lies in 
the computational tradeoff between expressiveness of representation languages 
and their complexity [21]. On the one hand, knowledge needs to be represented 
in a very expressive language, such as first-order logic and, on the other, reason- 
ing has to be very efficient, especially for knowledge bases of the size required 
for human level common-sense. Unfortunately, it is well-known that first-order 
reasoning is only semi- decidable. In other words, if the base and the query are 
represented in first-order logic, there is no guaranteed way to determine in finite 
time whether the query is entailed, or not, from the knowledge base. 
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Since real agents are constrained by finite resources, it seems appropriate to 
examine first-order reasoning in the setting of finite universes of discourses. This 
assumption has received increasing attention in the communities of database sys- 
tems [23,26], planning [11,12] and theorem proving [13,25,28,29]. This can be 
expressed by a domain closure axiom or, less restrictively, through a constraint 
expressing a finite upper limit on the cardinality of the domain of any inter- 
pretation. In this setting, every first-order formula can be rewritten to a finite 
“propositional” formula which, however, is in general exponentially larger. Each 
atom with m free variables gives rise to (n™) ground instances for an universe 
of size n. As a result the complexity of first-order reasoning is (at most) ex- 
ponentially higher than the complexity of propositional reasoning. Intuitively, 
this means that a first-order reasoner is confronted with two sources of complex- 
ity: unbounded chaining and unbounded quantification. The first one is related 
to propositional entailment, which is known to be intractable, while the second 
one is related to the exponential number of ground instances generated by a 
first-order formula. So, even in finite universes of discourse, first-order reasoning 
remains very much demanding from a computational point of view. 

Approximate reasoning is an approach advocated in many areas of artificial 
intelligence to deal with the computational intractability of problems. The mo- 
tivation behind this paradigm stems from the fact that practical agents have 
limited time to solve problems and limited memory to remember information. 
As suggested by Lakemeyer in [16], an approximate reasoning system provides 
something of middle ground between what is explicit or evident and can be re- 
trieved using few resources and what is implicit and should be inferred given 
enough time and memory. In case the answer of the reasoner is not satisfactory, 
one can still decide to continue reasoning. The simplest way is to switch to a 
conventional reasoning technique. A better way is to use the resource-bounded 
reasoner to produce better and better answers in a cumulative fashion. 

Many such inference algorithms have been proposed, and these algorithms 
are generally reasonably easy to understand procedurally. For example, one may 
take an existing theorem prover and bound its execution time and memory in 
some way. However, understanding inference procedurally is no substitute for 
understanding what sort of “semantics” and “axiomatics” underlie the inference. 
This kind of deeper understanding is the domain of logic. A logic for a resource- 
bounded reasoner gives a clear picture to the notion of resource and tells us what 
the inference algorithm is, and is not, able to deduce from its knowledge base. 

There have been a number of attempts at devising logics for approximate rea- 
soning either proof-theoretically or model-theoretically. On the proof-theoretic 
side, for example, Dalai defines tractable forms of reasoning by eliminating cer- 
tain inference rules from propositional logic [5] . The starting point of its frame- 
work relies on unit resolution which is tractable but weaker than propositional 
deduction. Based on this inference rule, the author obtains better and better 
approximations by imposing incremental bounds on the size of clauses used as 
lemmas. This technique has been further studied, for example, in [6, 10]. 
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On the model-theoretic side, one of the first framework proposed in the litera- 
ture is that of Levesque [20] . Based on a multi-valued logic, especially a fragment 
of Belnap’s relevance logic [1], the author introduces a notion of inference which 
is weaker than propositional deduction and that captures a tractable form of 
reasoning. This study has been further extended by Schaerf and Cadoli in [24]. 
Their framework considers a subset S of the propositional variables, which are 
deserved a classical interpretation, while the rest of propositions is given a multi- 
valued interpretation. By increasing the parameter S, the reasoner can regain 
full logical deduction in an incremental fashion. This treatment of approximate 
reasoning has been applied to a wide range of reasoning problems [2, 14, 15, 22]. 

To the best of our knowledge, most of the studies in approximate reasoning 
have concentrated to propositional logic. On the proof-theoretic camp, Crawford 
and Etherington in [10] have recently attempted to extend Dalai’s approach to 
first-order logic but, as they pointed it out, unit resolution alone is undecidable. 
On the model-theoretic camp, Schaerf and Cadoli have extended their semantics 
to the description logics A£S and ACC but these languages remain restricted 
fragments of first-order logic. A more general framework has been investigated by 
Lakemeyer in [16, 17]. Based on Levesque’s multi-valued logic, the author defines 
a inference relation which is weaker than classical first-order implication and 
that captures a decidable form of reasoning. However, Lakemeyer’s framework is 
only “one-shot”: if an approximate solution is wrong, the sole thing to do is to 
switch to a general-purpose reasoning technique. From this perspective, it seems 
appropriate to pursue investigations in the direction to “improvable” reasoners 
that would produce better and better solutions in an incremental fashion. 

In this paper, we introduce a model-theoretic framework for approximate 
first-order reasoning. The framework is based on a multi-modal logic which con- 
tains a well-founded semantics and a correct and complete axiomatization. To 
some extent, our logic combines ideas from Schaerf and Cadoli’s approximation 
technique and Lakemeyer’s system for limited reasoning. In essence, our frame- 
work integrates the following features. 

— The logic is founded on the notion of resource, an accuracy measure which 
semantically captures bounded approximations of first-order inference. The 
measure reflects both the quality and the cost of the approximations. 

— The framework enables improvable reasoning: the quality of approximations 
is an increasing function of the resources that have been spent. 

— The framework covers dual reasoning: both sound but incomplete and com- 
plete but unsound solutions are returned at any computation step. 

The rest of the paper is organized as follows. In section 2, we define the 
syntax, the semantics, and a sound and complete axiomatization for the logic. In 
section 3, we investigate the semantical properties of approximate reasoning. In 
section 4, we show how to transform a traditional instance-based theorem prover 
into a resource-bounded algorithm which is interruptible, improvable, dual, and 
that can be exploited for anytime computation [30] . The approximation schema 
is flexible enough to be used with a wide range of efficient satisfiability methods. 
Finally, in section 5, we suggest some topics for future research. 
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2 The Logic 

In this section we present a logic, named AFOR, for approximate first-order 
reasoning. We begin to define the syntax, next we examine the semantics in 
detail, and then we present a sound and complete axiomatization for the logic. 

2.1 Syntax 

The basic building block of our framework is Levesque’s first-order logic with 
standard names presented in [19] and further examined by Lakemeyer in [16, 17]. 
A first-order signature consists of denumerable sets P, F, N of symbols called 
predicates, functions and standard names respectively. Each predicate and func- 
tion symbol has a fixed arity which is defined by the number of its arguments. 
Function symbols with arity zero are called constants. The set of standard names 
corresponds to the universe of discourse over which quantifiers range. 

A term is either a variable, a standard name, or a function symbol whose 
arguments are themselves terms. A ground term is a term not containing any 
variable. A primitive term is either a constant or a function symbol whose argu- 
ments are standard names. An atom is a predicate whose arguments are terms 
and a literal is an atom or its negation. A primitive atom (resp. primitive literal) 
is an atom (resp. literal) with standard names as arguments. The sets of primi- 
tive atoms and primitive literals generated from the signature are denoted A and 
L, respectively. A standard formula is either an atom or can be obtained by the 
usual rules for the connectives -■ and A, and the quantifier V. Other connectives 
such as V, D and =, and the quantifier 3 are defined in the usual way. 

We now turn to the concept of resource. The key point behind this notion 
is to control the two aforementioned sources of complexity of first-order reason- 
ing, namely unbounded chaining and unbounded quantification. To this end, a 
resource parameter is defined as a pair S = {Ps, Ns) where Ps is a finite subset 
of P and Ns is a nonempty finite subset of N. A parameter can be seen as the 
collection of primitive atoms and standard names which are relevant for chaining 
and quantification for a given problem instance. The sets of primitive atoms and 
primitive literals generated from S are denoted As and Ls, respectively. The 
“empty” parameter, which doesn’t contain any predicate, is denoted Sq. 

A formula is either a standard formula or can be obtained by the following 
rules: if a is a formula, then -■ a is a formula, if a and (3 are formulas then a A f3 
is a formula, and if a is a standard formula and S a resource parameter then 
□ s a is a formula. Notice that the syntax does not allow quantifying-in or nested 
modalities. The modality Os is used as an abbreviation of -iDs-i. A formula 
such as Dsa is read “the reasoner necessarily infers a given the resources S'”; 
dually Os oi is read “the reasoner possibly infers a given the resources S” . 

A sentence is a closed formula, a declaration is a closed standard formula, and 
a ground declaration is a quantifier free declaration. In the following, sequences 
of terms are written in vector notion. For example, (ti, • • • , tk) is abbreviated as 
t. If a formula a contains the free variables xi, • • • , Xk, then the notation a[x/t] 
will denote the result of replacing each occurrence of Xi by ti in a. 
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2.2 Semantics 

The semantics of AFOR combines ideas from Belnap’s four-valued logic [1] with 
possible world interpretations that allow varying domains of quantification [7]. 

We first assign semantics to ground terms. To this point, the logic makes the 
assumption that the universe of discourse is isomorphic to the set of standard 
names, that is, a ground term is identified with a unique name. A denotation 
function is defined as a mapping d from primitive terms to standard names. 
A denotation function determines a unique map, also denoted d, on the set of 
all ground terms, according to the following conditions: d(n) = n, where n is a 
standard name, and d{f{t)) = d{f{n)), where Ui = d{ti). 

We now examine the semantics for all non-logical symbols. Our approach 
rests on an extension of the standard notion of possible world which we call 
valuations. While worlds use fixed domains of quantification and assign a truth 
value to every primitive atoms, valuations, in contrast, allow varying domains 
of quantification and assign truth values to all the literals. In formal terms, a 
valuation is a structure v = (A„, Ly,dy), where Ny is a subset of N, Ly is a subset 
of L, and dy is a denotation function. A world is a valuation w, where Ny, is the 
set of all standard names N and Lyj is a subset of L such that for every primitive 
atom a, a € Ly, if and only if -lo ^ Ly,. We say that a valuation v is more specific 
than v', and write v C v', if Ny = Ny/, Ly C Ly> and dy = dy>. We remark that 
the specificity relation is a partial order on the space of all valuations. Moreover 
it induces a lattice structure on each subspace of valuations defined over the 
same domain of quantification and the same denotation function. 

The concept of resource parameter S is semantically captured by an accessi- 
bility relation on valuations TZs- Given two valuations v and v' and any resource 
parameter S, v' € 7Zs(v), if Ny/ = Ns, Ly/ D Ls = Ly C\ Lg and dy' = dy. 
In other words, TZs{v) is the set of valuations that share the same domain of 
quantification Ng, that assign the same truth value as v to each literal in Lg, 
and that use the same denotation functions. We remark that, for any valuation 
v, TZgiv) is a complete lattice under the specificity ordering C. The smallest and 
the largest valuations of TZg{v) are denoted n77.s(u) and U77.s(w), respectively. 

We now turn to the semantics of sentences. Since valuations assign inde- 
pendent truth values to literals and their complements, the semantic rules for 
sentences must define truth support for both sentences and their negation. 



V \=p{t) 


iff 


p(n) G Ly and n = dy{t), 


(1) 


v 1= -.p(t) 


iff 


-•p{n) G Ly and n = dy{t), 


(2) 


V 1= -<-<a 


iff 


V \= a, 


(3) 


v \= a A P 


iff 


V \= a and v \= P, 


(4) 


V \= -i{a A P) 


iff 


V 1= -la or u 1= -<P, 


(5) 


V 1= (Vx) a 


iff 


for all n G Ny, v |= a[x/n]. 


(6) 


V 1= -i(Vx) a 


iff 


for some n G Ny, v |= -ia[x/n], 


(7) 


V 1= Ds a 


iff 


for all v' G TZg{v), v' ^ a. 


(8) 


v 1= “'□s a 


iff 


V ^ Ds a. 


(9) 
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A sentence a is called satisfiable iff w ^ a for some world w. We say that 
a sentence a is valid, and write ^ a, iff w \= a holds for all worlds w. Finally, 
given two sentences a and j3, we say that /3 is a logical consequence of a iff 
\= a (3 holds. The following lemmas capture important structural properties 
of the semantics. They will be frequently used in the remaining sections. 

Lemma 1. For any declaration a and any valuations v,v' such that v C v' , 

if V \= a then v' ^ a. 

Lemma 2. For any declaration a and any world w, 

iff ^Tls{w) \= a, (1) 

iff \JTls{w) \= a.. (2) 

Proof (1). Suppose that w |= Dsa. By semantic rule 8 , we obtain v \= a for 
all v £ 7Zs(vj). It follows that n7Zs(w) H Dually, suppose that w Y= ^soi. 
By semantic rule 9, we obtain v oc for some v € TZs- Since r\TZs{w) C v, by 
contraposition of lemma 1 , it follows that n 7 ^ 5 (w) ^ a. 

Proof (2). Suppose that w |= Os a. By semantic rule 9, we obtain v ^ ->a for 
some v G TZs{w). If v \= a then by lemma 1 we have U7^s(ii') H Otherwise, 
by contraposition of lemma 1 we obtain fXJZsiw) ^ a V -<a. By induction on 
the structure of a, it follows that U7?.s(w) |= a A ~^a. So UTZsiw) |= a. Now 
suppose that w Y= Os ce- By semantic rule 8 , we have v ^ for all v G TZs{w). 
If U7?.s(ru) H then by lemma 1 we obtain U7Zs(w) ^ a A -■a. By induction on 
the structure of a, it follows that flT^-s (w) ^ a V -■«, but this contradicts the 
former hypothesis. Therefore, we must obtain U7?.s('ic) ^ o. 

2.3 Axiomatization 

We now focus on obtaining a sound and complete axiomatization for our logic. 
An axiom system consists of a collection of axioms and inferences rules. A proof 
in an axiom system is a finite sequence of sentences, each of which is either an 
instance of an axiom or follows by an application of an inference rule. Finally, 
we say that a sentence a is a theorem of the axiom system and write F a if there 
exists a proof of a in the system. The axiom system of AFOR is the following. 

Axioms: 



All tautologies of first-order logic 


(Al) 


□ s -i-<a = Ds a 


(A2) 


□ s {a A P) = Dg a A Ds P 


(A3) 


□ 5 “ 1(0 A P) = Dg “iq; V Dg ~>P 


(A4) 


□ g (Vx) a = Dg Anew. oc[x/n] 


(A5) 


□ g -(Va;) a = Dg V„ew. -^a[xln] 


(A 6 ) 


□ g (a V -'o), where a G Ag 


(A7) 


Og (a A -'o), where a ^ Ag 


(AS) 


□ g a D a where a is a ground declaration 


(A9) 
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Inference rules: 

From h a and h a D /? infer h (3 (Rl) 

From h o;[a;/n] infer h (Vx) a (R2) 

The axiom system may be divided into two categories. The first one is con- 
cerned by axiom (Al) and rules (Rl) and (R2) which come from standard first- 
order logic. Hence, the first-order fragment of AFOR is correctly handled. The 
specificity of our logic lies on the second category. Axioms (A2)-(A4) capture the 
properties of double negation, conjunction and disjunction, respectively. Axioms 
(A5)-(A8) are the key point of resource-bounded reasoning. The first two axioms 
introduce a limitation on the quantification capabilities of the reasoner. Specif- 
ically, they state that any universal (existential) quantifier can be rewritten to 
a finite number of conjunctions (disjunctions) which is bounded by the size of 
Ns- From an orthogonal point of view, the last two axioms impose a limitation 
on the chaining capabilities of the reasoner. Axiom (A7) says that the system 
necessarily infers the tautology aV -■a, whenever a is in A5. Dually axiom (A8) 
says that the system can infer the antilogy a A -•a, if a is not in As- Finally, 
axiom (A9) claims that reasoning under the scope of Dg is sound, provided that 
the declaration a is quantifier-free. 

It is interesting to analyse the axiomatization from the standpoint of the so- 
called logical omniscience problem [9]. A reasoner is called logically omniscient if 
its inference capabilities are closed under logical consequence. By inference rule 
(Rl) and axioms (A2)-(A4), we remark that Dg a D (Dg (a D /3) D Dg/S) is a 
theorem of the axiom system. So, the inference capabilities of the reasoner are 
closed under material implication. However, we also remark that the sentence 
□ ga D {{a D /?) D Og/S) is not a theorem of the axiom system. Hence, the 
inference capabilities of the reasoner are not closed under logical implication. 
The following result gives soundness and completeness for the axiom system. 

Theorem 1 (Soundness and Completeness). For any sentence a, 

h a iff \= a. 

Proof (sketch). The soundness of the axiom system is easily demonstrated from 
the semantic rules and lemma 2. The proof of completeness is based on the 
technique of saturated sets presented in [7]. A set of sentences is called saturated 
if it is w-complete and consistent. A set of sentences E is w-complete if Eyjp[x/n] 
is consistent whenever E U {-■(Va;) p} is consistent. Completeness follows if we 
can show that any saturated set is satisfiable. We begin by extending a given u- 
complete set E to & maximally consistent set using the Lindenbaum procedure. 
Then we build a world we as follows, ds is an injective morphism from the 
ground terms in E to N, and a S Le iS a € E, for every primitive atom a. The 
central lemma in the proof shows that for any sentence a, we have a G E iS 
We \= ex. The only difficulty is the case where a is of the form Dg /?. We begin to 
rewrite (3 to an equivalent ground declaration into conjunctive normal form, by 
using (A2)-(A6). The “if” part of the proof is based on axioms (A8) and (A9). 
Dually, the “only if” part of the proof is built from axioms (A7) and (A9). 
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3 Approximate Reasoning 

After an excursion into the logic AFOR, we now apply our results to the for- 
malization of approximate first-order reasoning. In the knowledge representation 
paradigm, the main task for a reasoner is to decide whether a query is entailed, 
or not, from the knowledge base. In general, this task is divided into two steps. 
First, convert the knowledge base and the negation of the query into clausal 
form and next, determine whether the resulting declaration is satisfiable or not. 
In this study, we concentrate on the second step of the reasoning process. 

From this perspective, we specify a resource-bounded reasoner as an “ab- 
stract type” that takes in input a clausal declaration a and an increasing se- 
quence of resources (S'o, • • • , <S'„), and that approximates the problem of deciding 
whether a is satisfiable, or not, by means of two dual families of modal opera- 
tors (Flso> ■ ■ ■ ) '^S'n) (Oso) ■ ■ ■ ) If we prove that Dg; a is satisfiable for 
any index i, then we have proved that a is satisfiable. Dually, if we prove that 
O5. a is unsatisfiable for any f, then we have proved that a is unsatisfiable. This 
stepwise process has the important advantage that the iteration may be stopped 
when a confirming answer is already obtained for a small index i. 

Before examining into detail the properties of approximate reasoning, we in- 
troduce some useful definitions. An Herhrand signature is a first-order signature 
such that the set of function symbols F contains at least one constant symbol, 
and the set of standard names N is the set of all ground terms built from F. In 
other words, N is the Herhrand universe of the signature. Such a context greatly 
simplifies the technical aspects of the semantics. Specifically, in the language de- 
fined over a Herbrand signature, there exists exactly one denotation function d 
from ground terms to standard names, namely the identity function. Thus, any 
valuation v is uniquely determined by its components and 

A clause is a disjunction of literals. A clausal declaration is a declaration 
in prenex normal form containing only universal quantifiers, whose matrix is 
a disjunction of clauses. When clear from the context, such sentences will be 
respectively modeled as sets of literals and sets of clauses. With each clausal 
declaration a, we can uniquely associate a Herbrand signature whose function 
and predicate symbols are those occurring in a, with the additional condition 
that if a does not contain any constant, then we introduce a new constant in 
its signature. To avoid some complicated notations, we assume from now that 
the underlying representation language of a clausal declaration a is the language 
built from the Herbrand signature of a. 

With these notions in hand, we can now examine the semantical properties of 
approximations. First, we show that resource-bounded reasoning is improvable 
and dual. The quality of approximations improves as we increase the resources. 
Moreover, both sound approximations and complete ones are improvable. 

Theorem 2 (Monotonicity). For any clausal declaration a and any resource 
parameters R and S such that R C S, 

if is satisfiable, then Dga is satisfiable, (1) 

if Ofi a is unsatisfiable, then O5 a is unsatisfiable. (2) 
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Proof (1). Suppose that □kq; is satisfiable. Then w ^ for some world w. 
Let V denotes By construction, Ny = Nr and = Lu,C\Lr. Moreover, 

by lemma 2, it follows that v \= a. Now, let us define a total mapping r from Ng 
to Nr such that r(n) = n for every n G Nr. Let v' be a new valuation where 
Ny! = Ns and is the set of all literals l{n) such that 1{t{ti)) G L„. Suppose 
that v' ^ a. Then there exists at least one ground clause 7 (n) of a generated 
from Ng and such that 7 (n) fl = 0. It follows that 7 (r(n)) fl = 0. Since 
7 (r(n)) is a ground clause of a generated from Nr^ it follows that u ^ a, but 
this contradicts the former hypothesis. Hence, v' |= a. Let w' be a new world 
such that Luj' = Pv< U {Lu,/Ls) and let v" denotes fXR,g{w). By construction, 
Nyii = Ng and Lyn = L„/ fl Lr. Thus v' C v” . By lemma 1, it follows that 
v" ^ a. Hence, w' |= Ds a. Therefore, Dg a is satisfiable. 

Proof (2). Suppose that <>ga is satisfiable. Then w |= Oga for some world w. 
Let V and v' denote U 7 ^ 5 '('u;) and UTZr{w), respectively. By application of lemma 
2, we have v \= a. Now, let us define a new valuation v" such that N^n = Ny 

and Lyii = U (L — Lr). By construction, v C v" . Thus, by lemma 1 it follows 

that v" 1= a. Moreover, it is clear that Lyn = Lyi. Suppose that v' ot- Then, 
there exists at least one ground clause 7 of a generated from Nr and such that 
7 n Ly! = 0 . Since Nr C Ng, it follows that 7 is a ground clause of a generated 
from Ng. Moreover, since Lyii = L„/, it follows that 7 nL^" = 0. Hence v" ^ a, 
but this contradicts the former hypothesis. So, v' ^ a and by lemma 2, it follows 
that w ^ ^Ra. Therefore, Oga is satisfiable. 

Second, we demonstrate that there exists a systematic adequacy relationship 
between approximate reasoning and classical first-order reasoning. 

Theorem 3 (Adequacy). For any clausal declaration a and parameter S, 

if Dga is satisfiable, then a is satisfiable, ( 1 ) 

if O 5 a is unsatisfiable, then a is unsatisfiable. ( 2 ) 

Proof (1). Let i? be a new parameter such that Nr = Nr and Pr is the set 
of all predicates occurring in the formula a. Suppose that Dg a is satisfiable. 
By theorem 2 it follows that 0^0 is satisfiable. Then w |= ^Ra for some 
world w. Let t be a function from N to Nr such that r(n) = n for every 
n G Nr. Let w' be a world where Ly,' = {l{n) : 1 {t{ti)) G Ly,}. Suppose that 
w' ^ a. Then there exists a ground clause 7 (n) of a such that w' ^ 7(w). It 
follows that w ^ 7 (T(n)). However, by contraposition of axiom (A9) we obtain 
w □fl. 7 (r(n)). Since 7 (T(n)) is a ground clause generated from Nr, it follows 
that w ^ a, hence contradiction. So, w' \= a and therefore a is satisfiable. 

Proof (2). We use the parameter R defined in part (1). Suppose that <>ga is 
unsatisfiable. By theorem 2 it follows that Or a is unsatisfiable. Let E be the set 
of all ground clauses of a generated by Nr. Clearly, Or E is unsatisfiable. More- 
over, from axiom (A9) and rule (Rl) we infer that E D Or E is & theorem of our 
logic. By contraposition of this theorem, it follows that E is unsatisfiable. How- 
ever, if is a finite subset of all ground instances of clauses of a. By application 
of Herbrand’s theorem [3] (only if part), it follows that a is unsatisfiable. 
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Third and finally, we guarantee the convergence of approximate unsatisfi- 
ability: if a declaration is unsatisfiable, then using enough resources, we are 
guaranteed to find the correct solution. Notice that we cannot hope obtaining 
an analogue result for the dual part: since first-order unsatisfiability is recur- 
sively but not co-recursively denumerable, a infinite amount of resources may 
be necessary for determining satisfiability of a first-order clausal declaration. 

Corollary 1 (Convergence). For any clausal declaration a, if a is unsatisfi- 
able then there exists a resource parameter S such that Os ce is unsatisfiable. 

Proof. Suppose that a is unsatisfiable. Then, by application of Herbrand’s the- 
orem [3] (if part) , there must exist a finite unsatisfiable set E of ground clauses 
of a. Let Rs and Ns be the set of all predicates and ground terms that occur 
in E. Clearly enough, O5 E is unsatisfiable. Since if is a subset of the set of all 
ground clauses of a generated by Ns, it follows that Os a is unsatisfiable. 

Example 1. Suppose we are given the following declaration: 

a = {{p(a;, y),r{x)}, {^q{f{b)),r{x)}, {^r{a),q{f{x))}, {^p{a, 6), g(x)}}. 

The Herbrand signature of a is defined by the sets P = {p, q, r}, E = {a, b, /} 
and N = {a, b, f{a),f{b), . . .}. We want to show that a is satisfiable. Hence, we 
need to find a parameter S such that Ds a is satisfiable. In fact, this happens with 
Ps = {q, r} and Ns = {a, f{a)} which are restricted subparts of the signature. 

Example 2. Suppose we are given the following declaration: 

a = {{p(a;)}, {-'p(a), (7(x)}, {r{g{x),y),q{f{a))}, {^p{b) , ^q{x)} , {^r{x, f{y))}}. 

The Herbrand signature of the formula is defined by P = {p, q, r}, E = {a, b, f, g} 
and N = {a, b, f{a),g{a), . . .}. We want to show that a is unsatisfiable. So we 
need to find a parameter S such that O5 a is unsatisfiable. In fact this holds 
with Ps = {p, q} and Ns = {a, 6} which are restricted subparts of the signature. 

4 Approximate Computation 

In this section, we investigate the computational aspects of approximate reason- 
ing. We present an original algorithm, named AFOS, for approximate first-order 
satisfiability. We begin to specify the algorithm, next we prove its soundness and 
completeness and then we analyse its computational complexity. 

Before exploring the algorithm into detail, we introduce some additional def- 
initions. A substitution is a mapping 9 from variables to terms. Given a resource 
parameter S, a S -substitution is a substitution 9 such that the range of 9 is 
a subset of Ns. Given two parameters R and S such that R C S, a, (R,S)- 
substitution is a S'-substitution 9 such that the range of 9 contains a nonempty 
subset of Ns — Ns.. A clause 5 is called a S-instance (resp. {R, S) -instance) of 
a clause 7 if d = 76* for some S'-substitution (resp. {R, S) -substitution) 9. In the 
following, as denotes the set of all S-instances of a generated by S. 
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The algorithm AFOS, presented in figure 1, can be thought as an iterative 
instance-based theorem prover. The three major parts of the algorithm are: first 
the choice of new resources, second the resource-bounded instance generation, 
and third the satisfiability test by a standard propositional prover. The algo- 
rithm basically carries out these three steps until a proof for satisfiability or 
unsatisfiability is found or a time-space limit (i.e. interruption) is reached. It is 
important to remark that the procedure both returns the solution and the re- 
sources that have been spent for computing the solution. For example, suppose 
that AFOS(a) returns {true, S) for some clausal declaration a. The intuitive 
reading of this result is “a can be shown satisfiable using the resources S'”. 
Such an information not only provides knowledge about the solution but also 
meta-knowledge about the resources needed to compute the solution. 



Input : a clausal declaration a; 

Output: a resource parameter S and the truth- value true if Ds a is sat- 
isfiable, false if C’s ol is unsatisfiable and unknown otherwise; 
So; 

aS ■( — 0; 

4 ^ 0 ; 

while not interruption{) do 

Choice of resource parameter; 

Ri — S; 

S i — chooseQ; 

Instantiation; 
if Pfj = Pg then 

foreach {R, S) -instance 7 of a do 
^ UiynLs}; 
if 7 C L5 then — o;| U {7}; 

else 

aS i — 0; 

^ 0 ; 

foreach S-instance 7 o/a do 
^ U{7nLs}; 
if 7 C L5 then •< — o;| U {7}; 

Satisfiability; 

if is satisfiable then return (true,S); 
if ag is unsatisfiable then return {false, S); 

return {unknown, S); 



Fig. 1: Approximate First-Order Satisfiability (AFOS) 
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Interestingly, our algorithm incorporates several major features. First, the al- 
gorithm is interruptible: it can be stopped at any time and provide some answer. 
Second, the procedure is dual: it can compute at the same time the satisfiability 
and the unsatisfiability of a generic formula. Third, the instance generation step 
can be shown progressive. Specifically, if i? is a subset of S, then any clause in 
the declaration is a subset of some clause in the declaration furthermore, 

the declaration is a subset of the declaration ag. Fourth and finally, our al- 

gorithm can be shown incremental and anytime [30] . In particular, the reasoner 
can decide to fix the choice of predicates Ps for a certain number of iterations. 
During these iterations, the set of ground terms N$ is progressively increased 
and the declarations and Og are progressively expanded in an incremental 
fashion. If a solution is not found then the reasoner can choose a new set Ps, 
reinitialize the set Ng, and apply again the same strategy. 

The approximation schema is general enough to be combined with a wide 
range of satisfiability testers. The underlying interest is to use methods which 
are appropriate for the problem at hand and that have been shown powerful 
enough for solving large size instances of the problem. Complete methods such 
as depth first search enumeration [27] can be used to compute at the same 
time the satisfiability of and the unsatisfiability of ag. On the other hand, 
incomplete methods such as local search algorithms [ 8 , 12 ] can be exploited if we 
concentrate on the satisfiability of Og. 

The two following results clarify the interest of approximate computation. 
The first theorem gives soundness and completeness for the algorithm. The sec- 
ond theorem states its computational complexity. To this point, the last result 
claims that the two barriers of complexity in first order reasoning, that is “quan- 
tification” and “chaining”, are bounded by the resource parameter S. 

Theorem 4 (Soundness and Completeness for AFOS). Given a clausal 
declaration a a resource parameter S and no interruption of the algorithm, 

AFOS(q;) returns (true,S) iffOga is satisfiable, (1) 

AFOS(q;) returns {false, S) iff<>ga is unsatisfiable. (2) 

Proof. We only examine part (1) as a dual strategy applies to part (2). we know 
that Dg a is satisfiable iff w ^ Dg a for some world w. By lemma 2, w \= Og a 
iff r\TZg{w) ^ a. Let v denotes n 7 ^ 5 ('u;). By semantic rules (4) and ( 6 ), u ]= a 
iff u ^ 7 for every 5'-instance 7 of a. By semantic rules (1) and (5), v ^ 7 iff 

7 n yf 0 . So, V ^ a iff u ^ a§! and hence, Ds a is satisfiable iff nsas! is 

satisfiable. Now suppose that AFOS(a) returns {true, S). Then is satisfiable. 
Since the relations and terms that occur in o;° are subsets of Rg and Ng it 
follows that DsOg is satisfiable. Therefore, 050 is satisfiable. Dually, assume 
that Ds a is satisfiable. So, Qg is satisfiable. By axiom (A9), it follows that 
is satisfiable. Provided that no interruption occurred, AFOS(a) returns {true, S). 

Theorem 5 (Complexity). For any clausal declaration a and any resource 
parameter S, deciding whether Dg a is satisfiable and Og a is satisfiable can be 
computed in 0 (|q;s| • time. 
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Proof. Let us examine the sentence Ds a. By application of theorem 4, Dg a is 
satisfiable iff AFOS(a) returns {true, S). The instantiation part of the algorithm 
must, at most, generate all S'-instances of a which is 0(|ag|). So, the time 
complexity of this part is 0(|ag|). In the worst case, all the clauses of a are stored 
in so the size of ag is 0(|ag|). Moreover, the cardinality of all distinct ground 
atoms in a§l is 0(|Pg)|. So, the worst-case time complexity of the satisfiability 
part is 0(|ag| • A dual argument applies to the sentence Og a. 

Example 3. We consider again example 1. Suppose that AFOS chooses the re- 
source parameter S defined by Pg = {q,r} and N$ = {a, /(a)}. We obtain 
ag = {{r{a)},{r{f{a))},{-^r{a),q{f{a))},{q{a)},{q{f{a)}}. Clearly, a§l is sat- 
isfiable. Therefore, it follows that Dgo is satisfiable. 



Example 4- Now consider again example 2 and suppose that AFOS selects the 
resource parameter S with Pg = {p,q} and Ns = {a, &}. We obtain: = 

{{p(a)}: {P(b)}, {^p{a),q{a)}, {^p{a) , q{b)} , {^p{b) , ^q{a)} , {^p{b) , ^q{b)}} . It is 
clear that «g is unsatisfiable. Hence, it follows that Og a is unsatisfiable. 



Example 5. We assume that the following knowledge base E is part of a very 
large ontology of group theory and other algebraic structures. E uses a small 
signature which we assume to be part of a larger vocabulary. 



E = 



' {p{x,y,f{x,y))}, 

{p{e,x,x)}, 

{p{x,e,x)}, 

{p{i{x),x,e)}, 

{p{x,i{x),e)}, 

{^P{x, y, v),^p{y, z, v),^p{x, w, u),p{v, z, u)}, 
{^P{x, y, v),^p{y, z, v),^p{v, z, u),p{x, w, u)}, 
^ {^s{x),^s{y),^p{x, i{y),z), s(z)} 



Suppose we are given the following query: for any given element in a sub- 
group, show that its inverse is still in the subgroup. This can be denoted by 
(Vcc)(s(x) D s(i(a;)). Let a = EU {{s(a)}, {-'s(i(a))}}. We want to show that a 
is unsatisfiable. So the algorithm needs to find a resource parameter S such that 
Qfg is unsatisfiable. In fact, this holds with Pg = {s,p} and Ns = {a,i{a),e}. 
We remark that the number of clauses and atoms in is 1475 and 30, re- 
spectively. By combining iterative instantiation with an improved version of the 
Davis-Putnam procedure [27], unsatisfiability should be inferred in short time. 



5 Conclusion 

This main motivation behind this work has been to obtain a model approxi- 
mate reasoning that defines a computationally more attractive reasoner than 
classical first order logic. We have stressed on a multi-modal logic which con- 
tains a well-founded semantics and a correct and complete axiomatization. Based 
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on this logic, we have shown that our framework integrates several major fea- 
tures: bounded resources, improvability and dual reasoning. Finally, we designed 
a resource-bounded algorithm with a simple modification of classical instance- 
based theorem provers, and we have discussed the quality and complexity guar- 
antees of this approximate deduction mechanism. 

There are various avenues of research that come out of this work. On the 
logic side, a first investigation is to extend the language with equality. In par- 
ticular, the question whether first-order logic with equality can be embedded 
in our framework should be settled. A secondary, but important, investigation 
is to examine decidable sub-fragments of first-order logic such as, for instance, 
Schdnfinkel-Bernays expressions. To this point, it would be interesting to ob- 
tain a convergence result for the satisfiability problem of these sub- fragments. 
On the algorithmic side, a number of open problems remain to be explored. In 
particular, an important issue is the development of “intelligent” strategies for 
the incremental choice of resources. This choice may be heuristic; search strate- 
gies advocated in the literature of instance-based theorem proving should play a 
major role in the global efficiency of the framework [4, 13, 18,29]. For example, 
a well-known principle is to iteratively choose predicates and terms according to 
their increasing arity. More sophisticated heuristics can be developed by com- 
bining unification techniques used for instantiation and strategies employed in 
propositional testers. Alternatively, the choice of the resources may be guided 
by control knowledge; it is a commonplace that knowledge about the structure 
of a base is important for efficient inferences [24]. To this very point, we recall 
that AFOS communicates at the same time knowledge about the solution but 
also meta-knowledge about the computation. In the query-answering process 
this meta-knowledge should be automatically learned to perform an appropri- 
ate choice of the resources which guarantees a high degree of confidence. These 
criteria are under study and we hope that an intelligent control strategy will be 
possible for approximate first-order reasoning. 
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Abstract. We consider an extension of modal logic with an operator 
for constructing inflationary fixed points, just as the modal /i-calculus 
extends basic modal logic with an operator for least fixed points. Least 
and inflationary fixed point operators have been studied and compared 
in other contexts, particularly in finite model theory, where it is known 
that the logics IFP and LFP that result from adding such fixed point 
operators to first order logic have equal expressive power. As we show, 
the situation in modal logic is quite different, as the modal iteration 
calculus (MIG) we introduce has much greater expressive power than 
the /i-calculus. Greater expressive power comes at a cost: the calculus is 
algorithmically much less manageable. 

1 Introduction 

The modal /t-calculus is an extension of multi-modal logic with an operator 
for forming least fixed points. This logic has been extensively studied, having 
acquired importance for a number of reasons. In terms of expressive power, it 
subsumes a variety of modal and temporal logics used in verification, in particular 
LTL, CTL, CTL*, PDL and also many logics used in other areas of computer 
science, for instance description logics. On the other hand, has a rich theory, 
and is well-behaved in model-theoretic and algorithmic terms. 

The logic is only one instance of a logic with an explicit operator for form- 
ing least fixed points. Indeed, in recent years, a number of fixed point extensions 
of first order logic have been studied in the context of finite model theory. It may 
be argued that fixed point logics play a central role in finite model theory, more 
important than first order logic itself. The best known of these fixed point logics 
is LFP, which extends first order logic with an operator for forming the least fixed 
points of positive formulae, defining monotone operators. In this sense, it relates 
to first order logic in much the same way as relates to propositional modal 
logic. However, a number of other fixed point operators have been extensively 
studied in finite model theory, including inflationary, partial, nondeterministic 
and alternating fixed points. All of these have in common that they allow the 
construction of fixed points of operators that are not necessarily monotone. 

* Research supported by EPSRG grants GR/L69596 and GR/N23028. 
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Furthermore, a variety of fragments of the fixed point logics formed have been 
studied, such as existential and stratified fragments, bounded fixed point logics, 
transitive closure logic and varieties of Datalog. Thus, there is a rich theory 
of the structure and expressive power of fixed point logics on finite relational 
structures and, to a lesser extent, on infinite structures. 

In the present paper, we take a first step in the study of extensions of propo- 
sitional modal logic by operators that allow us to form fixed points of non- 
monotone formulae. We focus on the simplest of these, that is the inflationary 
fixed point (also sometimes called the iterative fixed point). Though the inflation- 
ary fixed point extension of first order logic (IFF) is often used interchangeably 
with LFP, as the two have the same expressive power on finite structures, we 
show that in the context of modal logic, the inflationary fixed point behaves 
quite differently from the least fixed point. 

Least and Inflationary Inductions. We begin by reviewing the known results on 
the logics LFP and IFP. 

(1) On finite structures, LFP and IFP have the same expressive power [12]. 

(2) It is conjectured that IFP is strictly more expressive than LFP on infinite 
structures, but only partial results are known. On many interesting infinite 
structures, for instance in arithmetic (w,-l-, •), LFP and IFP are known 
to be equally expressive, but the translation of IFP into LFP can make 
the formulae much more complicated [6]. 

(3) On ordered finite structures, LFP and IFP express precisely the properties 
that are decidable in polynomial time. 

(4) Simultaneous least or inflationary inductions do not provide more expres- 
sive power than simple inductions. 

(5) The complexity of evaluating a formula in LFP or IFP on a given finite 
structure 2t is polynomial in the size of the structure, but exponential in 
the length of the formula. For formulae with a bounded number k of vari- 
ables, the evaluation problem is PsPACE-complete [9], even for fc = 2 and 
on fixed (and very small) structures. If, in addition to bounding the num- 
ber of variables one also forbids parameters in fixed point formulae, the 
evaluation problem for LFP is computationally equivalent to the model 
checking problem for L^ [H)17] which is known to be in NP fl co-NP, 
in fact in UP fl co-UP [14], and hard for Ptime. It is an open prob- 
lem whether this problem can be solved in polynomial time. The model 
checking problem for bounded variable IFP does not appear to have been 
studied previously. 

We also note that even though IFP does not provide more expressive power 
than LFP on finite structures, it is often more convenient to use inflationary 
inductions in explicit constructions. The advantage of using IFP is that one is 
not restricted to inductions over positive formulae. A non-trivial case in point 
is the formula defining an order on the /c-variable types in a finite structure, an 
essential ingredient of the proof of the Abiteboul-Vianu Theorem, saying that 
least and partial fixed point logics coincide if and only if Ptime = Pspace (see 
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[4,8,10]). Furthermore, IFF is more robust, in the sense that inflationary flxed 
points are well-deflned, even when other, non-monotone, operators are added to 
the language (see, for instance, [7]). 

Inflationary Inductions in Modal Logic. Given the close relationship between 
LFP and IFF on flnite structures, and the importance of the ^-calculus, it is 
natural to study also the properties and expressive power of inflationary flxed 
points in modal logic. In this paper, we undertake a study of an analogue of IFF 
for modal logic. We define a modal iteration calculus, MIC, by extending ba- 
sic multi-modal logic with simultaneous inflationary inductions. While deferring 
formal definitions until Section 2, we begin with an informal explanation. 

In L^, we can write formulae nX.ip, which are true in state s of a transition 
system /C if, and only if, s is in the least set X satisfying X o in /C. We can do 
this, provided that the variable X appears only positively in ip. This guarantees 
that (f defines a monotone operator and has a least flxed point. Moreover, the 
flxed point can be obtained by an iterative process. Starting with the empty set, 
if we repeatedly apply the operator defined by ip (possibly through a transfinite 
series of stages), we obtain an increasing sequence of sets, which converges to 
the desired least flxed point. If, on the other hand, p is not positive in X, we 
can still define an increasing sequence of sets, by starting with the empty set, 
and iteratively taking the union of the current set X with the set of states 
satisfying p{X), and this sequence must eventually converge to a flxed point 
(not necessarily of p, but of the operator that maps X to X V p{X)). More 
generally, we allow formulae ifp Xj : [Xi ^ Pi, - ■ ■ ,Xk ^ Pk] that construct 
sets by a simultaneous inflationary induction. At each stage a, we have a tuple 
of sets Xf , . . . , X^. Substituting these into the formulae pi,. ■ ■ ,Pk we obtain 
a new tuple of sets, which we add to the existing sets Xf , . . . , X^, to obtain the 
next stage. 

It is clear that MIC is a modal logic in the sense that it is invariant under 
bisimulation. In fact, on every class of bounded cardinality, inflationary flxed 
points can be unwound to obtain equivalent infinitary modal formulae. As a 
consequence, MIC has the tree model property. It is also clear that MIC is at 
least as expressive as L^. The following natural questions now arise. 

(1) Is MIC more expressive than L^l 

(2) Does MIC have the flnite model property? 

(3) What are the algorithmic properties of MIC? Is the satisfiability problem 
decidable? Can model checking be performed efficiently (as efficiently as 
for L^)? 

(4) Can we eliminate, as in the y^-calculus and as in IFF, simultaneous induc- 
tions without losing expressive power? 

(5) What is the relationship of MIC with monadic second-order logic and 
with flnite automata? Or more generally, what are the ‘right’ automata 
for MIC? 

(6) Is MIC the bisimulation-invariant fragment of any natural logic (as is 
the bisimulation-invariant fragment of MSO [13])? 
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We provide answers to most of these questions. From an algorithmic point of 
view, most of the answers are negative. From the point of view of expressiveness, 
we can say that in the context of modal logic, inflationary fixed points provide 
much more expressive power than least fixed points, and MIC has very different 
structural properties to In particular, we establish the following results: 

(1) There exist MIC-definable languages that are not regular. Hence MIC is 
more expressive than the ^-calculus, and does not translate to monadic 
second-order logic. 

(2) MIC does not have the finite model property. 

(3) The satisfiability problem for MIC is undecidable. In fact, it is not even 
in the arithmetic hierarchy. 

(4) The model checking problem for MIC is PsPACE-complete. 

(5) Simultaneous inflationary inductions do provide more expressive power 
than simple inflationary inductions. Nevertheless the algorithmic intrac- 
tability results for MIC apply also to MIC without simultaneous induc- 
tions. 

(6) There are bisimulation-invariant polynomial time properties that are not 
expressible in MIC. 

(7) All languages in DTiME(0(n)) are MIC-definable. 

No doubt, these properties exclude MIC as a candidate logic for hardware 
verification. On the other hand, the present study is an investigation into the 
structure of the inflationary fixed point operator and may suggest tractable 
fragments of the logic MIC, which involve crucial use of an inflationary operator, 
just as logics like CTL and alternation-free carve out efficiently tractable 
fragments of In any case, it delineates the differences between inflationary 
and least fixed point constructs in the context of modal logic 

In the rest of this paper, we begin in Section 2 by giving the necessary back- 
ground on modal logic and fixed points, and giving the definition of MIC, along 
with an example that illustrates how this calculus has higher expressive power 
than L^. Section 3 establishes that MIC fails to have the finite model property 
and that the satisfiability problem is highly undecidable. This is established sep- 
arately for MIC, and IMIC, its fragment without simultaneous inductions. We 
also show that MIC is more expressive than IMIC. In Section 5 we investigate 
questions of the computational complexity of MIC in the context of finite tran- 
sitions systems. We show that the model checking problem is PSPACE-complete, 
that the class of models of any MIC formula is decidable in both polynomial 
time and linear space, and that there are polynomial time bisimulation-invariant 
properties that are not expressible in MIC. Finally, Section 6 investigates the 
expressive power of MIC on finite words, establishing that there are languages 
definable in MIC that are not context-free, and that every linear time decidable 
language is expressible in MIC. 

Due to space limitations we only sketch the proofs of some results and defer 
the details to the full version of the paper [5] . 
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2 The Modal Iteration Calculus 

Before we define the modal iteration calculus, we briefly recall the definitions of 
propositional modal logic ML and the /u-calculus 

2.1 Propositional Modal Logic 

Transition Systems. Modal logics are interpreted on transition systems (also 
called Kripke structures). Fix a set A of actions and a set V of atomic proposi- 
tions. A transition system for A and V is a structure K. with universe V (whose 
elements are called states) binary relations Ea Q V x V for each a G A and 
monadic relations p Q V for each atomic proposition p G V (we do not distin- 
guish notationally between atomic propositions and their interpretations.) 

Syntax of ML. For a set A of actions and a set V of proposition variables, the 
formulae of ML are built from false, true and the variables p G V hy means of 
Boolean connectives A, V, -■ and modal operators (a) and [a]. That is, if i/' is a 
formula of ML and a G A is an action, then {a)xp and [a]f/' are also formulae of 
ML. If there is only one action in A, one simply writes □ and O for [a] and (a), 
respectively. 

Semantics of ML. The formulae of ML are evaluated on transition systems at a 
particular state. Given a formula ip and a transition system 1C with state v, we 
write K.,v \= to denote that the formula if holds in 1C at state v. We also write 
IV’]^ to denote the set of states v, such that lC,v \= tp. In the case of atomic 
propositions, = p, we have |p]^ = p. Boolean connectives are treated in the 
natural way. Finally for the semantics of the modal operators we put 

l(a)^/’]^ := {u : there exists a state w such that (v,w) G Ea and w G |V’]^} 
|[a]^]^ := {u : for all w such that {v,w) G Ea, we have w G 

Hence (a) and [a] can be viewed as existential and universal quantifiers ‘along 
a-transitions’. 

2.2 The /i-Calculus 

Syntax of . The /r-calculus extends propositional modal logic ML by the fol- 
lowing rule for building fixed point formulae: if is a formula in and X is 
a propositional variable that occurs only positively in ip, then pX.ip and vX.ip 
are formulae. 

Semantics of Lf^. A formula ip{X) with a propositional variable X defines on 
every transition system tC (with state set V , and with interpretations for free 
variables other than X occurring in ip) an operator ip’^ : V{V) -G V{V) assigning 
to every set A C 1/ the set ip^{X) := = {v GV ■. \lC,X),v \= ip}. 

As X occurs only positively in ip, the operator ip^ is monotone for every 
/C, and therefore, by a well-known theorem due to Knaster and Tarski, has 
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a least fixed point lfp(7/’^) and a greatest fixed point gfp(7/’^). Now we put 
:= lfp(i/)^) and := gfp(i/;^). 

Least (and greatest) fixed points can also be constructed inductively. Given 
a formula jjLX.tp^X), we define for each ordinal a, the stage of the Ifp- 
induction of by X^ := 0, := and X“ := X^ if a is a 

limit ordinal. 

By monotonicity, the stages of the Ifp-induction increase until a fixed point 
is reached. The first ordinal at which this happens is called the closure ordinal 
of the induction. By ordinal induction, one easily proves that this inductively 
constructed fixed point coincides with the least fixed point. The cardinality of a 
closure ordinal cannot be larger than the cardinality of /C. 

For any formula ip, the formula vX.p is equivalent to ~'p,X.-<(p(-<X), where 
(p(-'X) denotes the formula obtained from p by replacing all occurrences of X 
with -<X. 

Simultaneous Fixed Points. There is a variant of that admits systems of si- 
multaneous fixed points. Here one associates with any tuple = (f/'i, ■ . . , V'fe) of 
formulae 4’iiX) = ipi{Xi, . . . , AT^,), in which all occurrences of all Xi are posi- 
tive, a new formula p = pX.ip. The semantics of p is induced by the least fixed 
point of the monotone operator mapping X to X where X[ = & V : 

(/C, X), V ^ ipi}. More precisely, /C, u |= iff w is an element of the first compo- 
nent of the least fixed point of the above operator. Although these systems are 
computationally beneficial and sometimes also allow for more straightforward 
formalisations, they do not increase the expressive power. It is known that si- 
multaneous least fixed points can be eliminated in favour of nested individual 
fixed points (see e.g. [1, page 27]). Indeed, pXY . [ip{X,Y),p{X,Y)\ is equiva- 
lent to fj,X.tp{X, pY.p{X, Y)), and this equivalence generalises to larger systems 
in the obvious way. 

Bisimulations and Tree Model Property. Bisimulation is a notion of behavioural 
equivalence for transition systems. No reasonable modal logic can distinguish 
between two systems that are bisimulation equivalent. Formally, given two tran- 
sition systems /C and /C', with distinguished states v and v' respectively, we say 
that /C,u is bisimulation equivalent to written IC,v ~ IC',v' if there is a 

relation R C V x V' between the states of JC and the states of 1C' such that: (1) 
{v, v') G R; (2) for each atomic proposition p gV and each {u, u') G R, u G |p]^ 
if, and only if, u' G |p]^ ; (3) for each (u,u') G R, and each t G V such that 
(u,t) G Ea, there is a t' G V' with {u',t') G E'^ and {t,t') G R; and (4) for 
each {u,u') G R, and each t' G V' such that {u',t') G E'^, there is a f G H with 
{u,t) G Ea and (t, t) G R. 

Bisimulation equivalence corresponds to equivalence in an infinitary modal 
logic ML°° [2]. This logic is the closure of ML under disjunctions and conjunc- 
tions taken over arbitrary sets of formulae. Thus, if S is any set (possibly infinite) 
of formulae, then /\ S and \J S are also formulae of ML. It can be shown that for 
any transition systems K. and 1C, IC,v ^ IC,v' if, and only if, IC,v makes true 
exactly the same formulae of ML°° as K! ,v' . 
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A transition system is called a tree, if for every state v, there is at most one 
state u, and at most one action a such that {u, v) G Ea and there is exactly 
one state r, called the root of the tree, for which there is no state having a 
transition to r, and if every state is reachable from the root. It is known that 
for every transition system /C, and any state v, there is a tree E with root r 
such that /C,z) ~ T, r. One consequence of this is that any logic that respects 
bisimulation has the tree model property. For instance, for any formula of 
if (f is satisfiable, then there is a tree T such that E,r \= Lp. 



2.3 The Modal Iteration Calculus 

We are now ready to introduce MIC. Informally, MIC is propositional modal 
logic ML, augmented with simultaneous inflationary fixed points. 

Definition 2.1 (Syntax and semantics of MIC). MIC extends propositional 
multi-modal logic by the following rule: if ipi,. . . ,ipk are formulae of MIC, and 
Xi, . . . ,Xk are propositional variables, then 

{ X\ ^ ipi 
Xk •<— 



is a system of rules, and (ifp Xi : S) is a formula o/MIC. If S consists of a 
single rule A ^ we simplify the notation and write (ifp X (p) instead of 
(ifp X : X ^ip). 

Semantics: On every Kripke structure 1C, the system S defines, for each ordinal 
a, a tuple X = (Af,... ,A^) of sets of states, via the following inflationary 
induction (for i = 1, . . . ,k). 



:= 0 , 

A“+i := A“ U 

A“ := Xf if a is a limit ordinal. 

0<a 



We call (Af , . . . , A^) the stage a of the inflationary induction of S on /C. As 
the stages are increasing (i.e. Xf C xf for any a < (3), this induction reaches 
a fixed point (A“, . . . , A“). Now we put |(ifp Xi : 5)]^ := A°°. 

See Section 2.4 and 3 for examples of such formulae. 



Lemma 2.2. C MIC. Further, on every class of structures of bounded car- 
dinality MIC C ML°° . 

Proof. Clearly, if A occurs only positively in f), then p.X.if = ifp A ^ Hence 
Lf, C MIC. 
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Now, let S' be a system of rules Xi ^ ipi{Xi, . . . ,Xk). It is clear that for 
each ordinal a there exist formulae . ,ip'^ G ML°° defining, over any Kripke 

structure, the stage a of the induction by S. As closure ordinals are bounded on 
structures of bounded cardinality, the second claim follows. □ 

Corollary 2.3. MIC is invariant under bisimulation and has the tree model 
property. 

Note that on structures of unbounded cardinality, and MIC are not con- 
tained in ML°°. For instance, well-foundedness is expressed by the L^-formula 
irX.OX, but is known not to be expressible in ML°°. 

2.4 Non-regular Languages 

We now demonstrate that MIC is strictly more expressive than Recall that 
every formula of can be translated into a formula of monadic second order 
logic (MSO). Moreover, it is known [3] that the only sets of finite words that are 
expressible in MSO are the regular languages. For our purposes, a finite word 
is a transition system with only one kind of action, which is a finite tree, and 
where every state has at most one successor. 

Proposition 2.4. There is a language that is expressible in MIC but not in 
MSO. 

Proof. The language L := {aPh"^ : n < m} is not regular, hence not definable in 
monadic second-order logic, but it is definable in MIC. To see this, we consider 
first the formula Tr(A') = (ifp Y G- 0{b A -'X) V 0(a A X A Y)) which (since 
the rule is positive in Y) is in fact equivalent to a L^^-formula. On every word 
w = Wq ■ ■ ■ Wn-i G {a, 6}* and X C {0, ... ,n—l}, the formula is true if w starts 
with a (possibly empty) a-sequence inside X followed by a 6 outside X. Now the 
formula (ifp X G- {aATr{X)) V (&A nAT)) defines (inside a*b*) the language L. 
Note that the language a*b* is definable in so we can conjoin this definition 
to the above formula to obtain a definition of L which works on all words in 
{a,b}* □ 

The observation in Proposition 2.4 was pointed out to us in discussion by Martin 
Otto, and was the starting point of the investigation reported here. 

3 Interpreting Arithmetic in MIC 

In this section we prove that the satisfiability problem of MIC is undecidable 
in a very strong sense. Given that MIC is invariant under bisimulation, we can 
restrict attention to trees. In fact we will only consider well-founded trees (i.e. 
trees satisfying the formula ifp X G- DAT). The height h{v) of a node w in a 
well-founded tree Y is an ordinal, namely the least upper bound of the heights 
of its children. For any node v in a tree Y, we write 'T(y) for the subtree of Y 
with root V. We first show that the nodes of finite height and the nodes of height 
Lo are definable in MIC. 
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Lemma 3.1. Let S he the system 

X ^ a false V (DX A 
r ^ X. 

Then, on every tree T, |ifp X : S']^ = |ifp Y : S']’^ = {u : h{v) < uj}. 

Proof. By induction we see that for each i < u), X* = {v : h(v) < i\ and 
y* = X®“^ = {w : h{v) < i — 1 }. As a consequence X“ = = {v : h{v) < uj}. 

One further iteration shows that X“+^ = = X“. □ 

With the system S exhibited in Lemma 3.1 we obtain the formulae finite- 
height := (ifp X : S) and w-height := -■(ifp X : S') A n(ifp X : S) which define, 
respectively, the nodes of finite height and the nodes of height oj. Note that 
w-height is a satisfiable formula all of whose models are infinite. 

Proposition 3.2. MIC does not have the finite model property. 

We show that the satisfiability problem of MIC is undecidable. In fact MIC 
interprets full arithmetic on the heights of nodes. To prove this we first define 
some auxiliary formulae that will be used frequently throughout the paper. We 
always assume that the underlying structure is a well-founded tree. 

— The formula nonempty((p) := (ifp X ^ V OX) expresses that ip holds 
somewhere in the subtree of the current node: T'jV \= nonempty(:p) iff |(^]^n 
T{v) ^ 0. 

— Dually all((/3) := (ifp X ^ A DX) says that (p holds at all nodes of the 
subtree T{v). 

— We say that a set X (in a tree T) encodes the ordinal a if X = {u : h{v) < a}. 
Let ordinal(X) be the conjunction of the formula all(X — >■ DX) with 

^(ifp z : r ^ nr 

Z -(r- nonempty(-iy A OY A X) A nonempty(-'y A OY A ~'X)). 

It expresses that X encodes some ordinal. Indeed all(X — >■ DX) says that 
with each node v G X, the entire subtree rooted at v is contained in X. 
The second conjunct performs an inflationary induction incorporating into 
Y at each stage /3 -I- 1 all nodes of height (3 (which satisfy XY A DX) and 
incorporates the root of the tree into Z if both X and its complement contain 
nodes of height (3. Hence, at the end of the induction the root of the tree 
will not be contained in Z if, and only if, X does not distinguish between 
nodes of the same height. Together the two conjuncts imply that X contains 
all nodes up to some height. 

— The formula number(X) = ordinal(X) A nonempty(finite-height A -■X) says 
that X encodes a natural number n (inside a tree of height > n). 
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Lemma 3.3. Let T he a well-founded tree of height ui. There exist formulae 
plus(S', T) and times(S', T) o/MIC such that, whenever the sets S and T encode 
in the tree T the natural numbers s and t, then |plus(S', T)]^ encodes s-\-t, and 
|times(S', T)]’^ encodes st. 

Proof. Let 

plus(S', T) := ifp y : X ^ OX 

y ^ S' V (ny A nonempty(y) A all(AT — >• T)). 

Obviously at each stage n, we have X” = {u : h{v) < n}. We claim that for 
each n, y”+i = {v : h{v) < s + min(n, t)}. For n = 0 this is clear (note that 
for the case s = 0 this is true because the conjunct nonempty(X) prevents the 
y-rule from being active at stage 1). For n > 0 the inclusion X” C T is true iff 
n < t. Hence we have y"+^ = {v : h{v) < s + n} in the case that n < t and 
y"+^ = y” = ■■■ = ¥* otherwise. To express multiplication we define 

times(S,T) := ifp y : X ^ DX 

y ^ plus(y, S) A all(DX ^ T). 

We claim that y" = {u : h{v) < s-min(n, t)}. This is trivially true for n = 0. 
If it is true for n < t, then y"+i = {ti : h{v) < sn + s} = {v : h{v) < s{n + 1)}. 
Finally for n > t, the extension of DX" is {u : h{v) < n + 1} which is not 
contained in T = {u : h{v) < t}, hence y”+^ = y" = • • • = Y*. □ 



Corollary 3.4. For every polynomial f{xi, . . . , Xr) with coefficients in the nat- 
ural numbers there exists a formula 'ipf{Xi, . . . ,Xr) G MIC such that for every 
tree T of height oj and all sets Si, . . . ,Sr encoding numbers Si, . . . , Sr € to 

lipfiSi, , Sr)!’^ = {u : h{v) < f{si, ... , Sr)}. 

Proof. By induction on /. 



— ipo := false. 

— -ipi := O false. 

— i’x '■= X. 

— i)f+g •= plus[S/^/>/, r/V'g], i.e. the formula obtained by replacing in plus(S, 
T) the variables S and T by, respectively, V'f and ibg. 

— -ipf.g := times[S/fof,T/iPg]. 

□ 



Theorem 3.5. For every first order sentence ip in the vocabulary {+, •, 0, 1} of 
arithmetic, there exists a formula ip* G MIC such that ip is true in the standard 
model (N, +,-,0,1) of arithmetic if and only if ip* is satisfiable. 

Proof. We have already seen that there exists a MIC-axiom w-height axiomatis- 
ing the models that are bisimilar to a tree of height to. Further, we can express 
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set equalities X = Y hy all(X o Y) and we know how to represent polynomials 
by MIC-formulae. What remains is to translate quantifiers. 

More precisely, we need to show that for each first order formula ipivij • ■ • j Ur) 
in the language of arithmetic there exists a MIC-formula ,W) such 

that on rooted trees T, w of height lo and all sets Si, .. . ,Sr that encode num- 
bers si,... ,Sr on T we have that (N, -I-, •, 0, 1) ^ ip{si,... ,Sr) iff T, rc ^ 
, 5 .). 

Only the case of formula of the form tjj{y) := 3x(p{x, y) remains to be con- 
sidered. By induction hypothesis, we assume that for (p{x, y) the corresponding 
MIC-formula tp*{X,Y) has already been constructed. Now let 

V'*(F) := ifp Z : X ^ DX 

Z ^ y^*{X, Y) Anumber(X). 

□ 

Corollary 3.6. The satisfiability problem for MIC is undecidable. In fact, it is 
not even in the arithmetical hierarchy. 

The proof given above appears to rely crucially on the use of simultaneous 
inductions. Indeed, one can show that formulae of MIC involving simultaneous 
inductions, in particular the formula constructed in the proof of Lemma 3.1, can- 
not be expressed without simultaneous inductions (see Theorem 4.2). However, 
it is still the case that first order arithmetic can be reduced to the satisfiability 
problem for MIC without simultaneous inductions. (See [5] for details.) 

4 Simultaneous vs. Non-simultaneous Inductions 

It is easy to see that the equivalence p.XY.{'tp, <p) = yX.if{X, yY.‘p{X, F)) (some- 
times called the Bekic-principle [1]) fails in both directions when we take infla- 
tionary instead of least fixed points. However, it still is conceivable that simulta- 
neous inductions could be eliminated by more complicated techniques. It follows 
from the results below, that this is not the case, i.e. simultaneous inflationary 
inductions provide more expressive power than simple ones. Let IMIC denote 
the fragment of MIC that does not involve simultaneous inductions. 

For any ordinal a, let Ya denote the tree with a root Va that has a set 
{vf 3 I /3 < Of} of children indexed by ordinals less than a, where each vp is the 
root of a subtree isomorphic to 7)j. 

Lemma 4.1. Let G IMIC be a formula. IfXi,... , Xk are atomic propositions 
on Tuj, closed under bisimulations, such that v^j ^ Xi (where is the root ofTii ) 
and %j,Vai H 'F(^I) • ■ • ^^k), then there is a finite N such that for all n > N 
and all nodes of height n, 71,, |= p{Xi — {u„}, . . . , — {w„}). 

It is a straightforward consequence of this lemma that the formula w-height 
defined in Sect. 3 is not equivalent to any formula of IMIC. We hence have 
established the following separation result. 

Theorem 4.2. MIC is strictly more powerful than IMIC. 
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5 The Model Checking Problem for MIC 

Recall that the model checking problem for the ^-calculus is in UP fl co-UP, 
and is conjectured by some to be solvable in polynomial time. We now show 
that MIC is algorithmically more complicated (unless Pspace = NP). 

We first observe that the naive bottom-up evaluation algorithm for MIC- 
formulae uses polynomial time with respect to the size of the input structure, 
and polynomial space (and exponential time) with respect to the length of the 
formula. Let /C be a transition system with n nodes and m edges. The size ||/C|| 
of appropriate encodings of /C as an input for a model checking algorithm is 
0{n + m). It is well known that the extension of a basic modal formula (p 
(without fixed points) on a finite transition system /C can be computed in time 
0(|(p| • ||/C||). Further, any inflationary induction ifp Xi : [Ail ‘fii, ■ ■ ■ , Aife •<— 
(pk] reaches a fixed point on /C after at most kn iterations. Hence, the bottom- 
up evaluation of a MIC-formula i/' with d nested simultaneous inflationary fixed 
points, each of width k, on /C needs at most 0{{knY) basic evaluation steps. 
For each fixed point variable occurring in the formula, 2n bits of workspace are 
needed to record the current value and the last value of the induction. This gives 
the following complexity results. 

Proposition 5.1. Any MIC formula of nesting depth d and simultaneous 
inductions of width at most k on a transition system K. with n nodes can he 
evaluated in time 0{{knY\Y\ ■ ||A11||) and space 0{\f}\ ■ n). 

In terms of common complexity classes the results can be stated as follows. 

Theorem 5.2. (1) The combined complexity of the model checking problem 

for MIC on finite structures is in Pspace. 

(2) For any fixed formula if G MIC, the model checking problem for ip on 
finite structures is solvable in polynomial time and linear space. 

We now show that, contrary to the case of the ^-calculus, the complexity 
results obtained by this naive algorithm cannot be improved essentially. 

Theorem 5.3. There exist transitions systems 1C, such that the model checking 
problem for MIC on K. is PSPACE-complete (even for IMICj. 

The proof is by reduction from QBF (the evaluation problem for quantified 
Boolean formulae.) We only sketch the argument here. 

Let 1C be the Kripke-structure consisting of two points 0, 1, the atomic 
proposition p = {!}, and the complete transition relation {0,1} x {0,1}. Let 
a{X) := -lAT A (p — >■ OAT). Further, let (p[X/a{X)] denote the formula obtained 
from ip by replacing every free occurrence of X by a{X). 

We inductively associate with every quantified Boolean formula if a MIC- 
formula if* as follows. For if := X we set if* := (p A X) V {-<p A OX). Further, 
(-'if)* '■= -'if* and (if o p)* := if* o p* for o g {A, V}. Finally, for if := MXp we 
put if* := D(ifp X ^ a(X) A p*[X/a(X)]). 
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It can be shown that for any closed QBF-formula ->p, we have = {0, 1} 

if Ip is true and IV'*! ^ = 0 otherwise. The theorem now follows immediately. 



In [15], Otto introduced a higher-dimensional ^-calculus, denoted which 
extends basic multi-modal logic with an operator for forming least fixed points 
of arbitrary arity, rather than just sets. He showed that can express every 
bisimulation-invariant, polynomial time decidable property of finite structures. 
Since we know that any collection of finite structures definable in MIC is both 
bisimulation-invariant and polynomial time decidable, it follows that every for- 
mula of MIC can be translated to a formula of that is equivalent to it on 
finite structures. We now show that the converse fails. In particular, there are 
properties of finite trees that are bisimulation-invariant and polynomial time 
decidable but cannot be expressed in MIC. 

Theorem 5.4. There is a collection T of finite trees in Ptime, closed under 
bisimulation, which is not expressible in MIC. 

We sketch the proof. Define T to be the collection of all finite trees T such 
that all children of the root of T are bisimilar. As bisimuation equivalence is 
decidable in polynomial time, it follows that T is in Ptime. It is also obvious 
that T is closed under bisimulation. 

Assume, towards a contradiction, that there is a formula G MIC that 
defines T . We use to define an equivalence relation on trees. Informally T\ 

?2 if at all stages of all the ifp-inductions in ip, the same subformulae of Lp 
become true in 7i as in ? 2 . Now, it can be shown that the index of on trees 
of height n is bounded by 2^^"^ (for some polynomial p{n) depending only on 
ip), whereas the bisimulation-index on trees of height n is not bounded by any 
elementary function. Hence there exist 71 T 2 with 7i / ? 2 . It is easy to see 
that p cannot distinguish between those trees where every child of the root is 
the root of a copy of 7i and those trees where one of these copies is replaced by 
? 2 . But in the first case the tree is in T, and in the second it is not, yielding a 
contradiction. 



6 Languages 



In this section we investigate the expressive power of MIC on finite strings. In 
other words we attempt to determine what languages are definable by formulae 
of MIC. For our purposes, a word w of length n, in an alphabet A is a transition 
system with n states ui,... ,Vn, a single action such that (vi,Vj) G E if, and 
only if, j = i -|- 1 and an atomic proposition s for each s G S, such that for each 
Vi, there is a unique s with Vi G s. 

We have already seen in Proposition 2.4, that there are non-regular languages 
that are definable in MIC. We begin this section by strengthening this result and 
showing that there are languages definable in MIC that are not even context-free. 
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6.1 Non-CFLs in MIC 

Theorem 6.1. There is a language definable in MIC that is not context-free 

Proof. Consider the language L := {cwdw \ w € {a, 6}*} over the alphabet 
{a, b, c, d}. It is easily verified that L is not a context-free language. To see that 
it is definable in MIC, first note that the formula 

q; := c A □empty(c) A nonempty(d) A all(fi — >■ □empty(d)) 

defines the set of strings {cxdy \x,y & {a, 6}*}. Now, the desired formula is the 
conjunction of a with the negation of the formula 

:= ifp X ^ [- 1 C A {UX V Od)] V [c A nonempty('0)] 

where, if is the formula 

-<X A OX A [(6 A nonempty(a A OX A ~'X)) V 
(a A nonempty(6 A OX A ~'-A))] 

□ 

We can also add the observation that the formula constructed in the proof of 
Theorem 6.1 above does not involve any simultaneous inductions, and therefore 
there are non-context-free languages definable in IMIC. 

Another measure of the complexity of a language, considered in [16] is au- 
tomaticity. Briefly, the automaticity of a language L is the function Al which 
gives for each n the number of states in the smallest deterministic automaton 
which accepts a language that agrees with L on all strings of length at most n. 
Clearly, every regular language has constant automaticity. Here, we note that it 
can be shown that the language used in the proof of Theorem 6.1 has exponential 
automaticity, which is worst possible. 

Finally, to place the expressive power of MIC in the Chomsky hierarchy, we 
note that every language definable in MIC can be defined by a context-sensitive 
grammar. This follows from the observation made in Section 5 that any class of 
finite structures defined by a formula of MIC is decidable in linear space, and 
the result that all languages decidable by nondeterministic linear space machines 
are definable by context-sensitive grammars. 

6.2 Capturing Linear Time Languages 

We have seen in Section 5 that the data complexity of evaluating MIC-formulae 
is in polynomial time and linear space. It is also clear that MIC can express 
PTiME-complete properties, as this is already the case for the /x-calculus. 

On words the situation is somewhat different. The /x-calculus defines precisely 
the regular languages and hence is very far away from expressing PTIME- 
complete properties. On the other side we have already seen that there exist 
MIC-definable languages that are not even context-free. We will now show that 
MIC can in fact define all languages that are decidable in linear time (by a 
Turing machine). 
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An observation that we will use in the proof, but which may well be of 
independent interest, is that cardinality comparisons and addition of cardinalities 
are expressible in MIC on words (recall that none of these are MSO-definable) . 

Lemma 6.2. There exists a formula tp{X,Y) of MIC such that on every word 
w, we have w,X,Y \= Lp if and only if |A| = |y|. Similarly for |A| < |F| and 
\X\ + \Y\ = \Z\. 

Theorem 6.3. Every language L € DTiME(0(n)) is MIC -definable. 

Note that we cannot expect to extend the result for linear time to quadratic 
time or higher. This is because, as we have seen, every language definable in 
MIC is decidable in linear space, and it is not expected that quadratic time is 
included in linear space. 
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Abstract. We consider two systems of constrnctive modal logic which 
are compntationally motivated. Their modalities admit several computa- 
tional interpretations and are used to capture intensional features such as 
notions of computation, constraints, concurrency, etc. Both systems have 
so far been stndied mainly from type-theoretic and category-theoretic 
perspectives, bnt Kripke models for similar systems were studied inde- 
pendently. Here we bring these threads together and prove duality results 
which show how to relate Kripke models to algebraic models and these 
in turn to the appropriate categorical models for these logics. 



1 Introduction 

This paper is about relating traditional Kripke-style semantics for constructive 
modal logics to their corresponding categorical semantics. Both forms of seman- 
tics have important applications within computer science. Our aim is to persuade 
traditional modal logicians that categorical semantics is easy, fun and useful; just 
like Kripke semantics. Additionally we show that categorical semantics gener- 
ates interesting new constructive modal logics, which differ somewhat from the 
traditional diet of intuitionistic modal logics [WZ95]. 

The salient feature of the constructive modal logics considered in this paper 
is the omission of the axioms <>(A V R) — >■ OA V OB and “lOT, which are 
typically assumed for possibility <> not only in classical but also in intuitionistic 
settings. While in classical (normal) modal logics these principles follow from 
the properties of necessity □ there is no a priori reason to adopt them in an 
intuitionistic setting where the classical duality between □ and O breaks down 
and <> is no longer derivable from □. In fact, a growing body of work motivated 
by computer science applications [WiJ90,FM97,PD01] rejects these principles 
from a constructive point of view. In this paper we will study the semantics of 
two such constructive modal logics, CS4 and PLL, introduced below. 
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We explore three standard types of semantics, Kripke, categorical, and al- 
gebraic semantics for CS4 and PLL. The algebraic semantics (CS4-modal alge- 
bra, PLL-modal algebra) is concerned only with equivalence of and the relative 
strength of formulas in terms of abstract semantic values (eg. truth values, proofs, 
constraints, etc...). It does not explain why a formula is true or why one formula 
is stronger than another. If one is interested in a more informative presentation 
and a concrete analysis of semantics, then a Kripke or categorical semantics may 
be more useful. The former explains ‘meaning’ in terms of worlds (in models) 
and validity of assertions at worlds (in models) in a classical Tarski-style inter- 
pretation. The ‘semantic value’ is given by the set of worlds at which a formula 
is valid. This form of semantics has been very successful for intuitionistic and 
modal logics alike. More recent and less traditional is the categorical approach. 
Here, we model not only the ‘semantic value’ of a formula, but also the ‘seman- 
tic value’ of its derivations/proofs, usually in a given natural deduction calculus. 
Thus, derivations in the logic are studied as entities in their own right, and have 
their own semantic objects in the models. Many applications of modal logic to 
computer science rely on having a term calculus for natural deduction proofs 
in the logic. Such a term calculus is a suitable variant of the A-calculus, which 
is the prototypical functional programming language. From this point of view 
the semantic value of a formula is given by the collection of normal form pro- 
grams that witness its assertion. Having a calculus of terms corresponding to 
derivations in the logic one obtains a direct correspondence between properties 
of proofs and properties of programs in the functional programming language 
based on these terms. For a discussion of the necessity modal operator □ and 
its interpretation as the ‘eval/quote’ operator in Lisp the reader is refered to 
[GL96]. 

In this sense both Kripke semantics and categorical semantics, presented 
here for CS4 and PLL, should be seen as two complementary elaborations of the 
algebraic semantics. They are both intensional refinements of their correspond- 
ing modal algebras, and have important applications within computer science. 
The natural correspondence between the Kripke models and modal algebras will 
be stated and proved as a Stone Duality Theorem. This turns out to require a 
different approach compared to other more standard intuitionistic modal log- 
ics, in particular as regards the O modality. The other correspondence, between 
modal algebras and corresponding categorical structures, is essentially that be- 
tween natural deduction proofs and the appropriate A-calculus. This is known as 
the Extended Curry-Howard Isomorphism. Whereas the extended Curry-Howard 
isomorphism between intuitionistic propositional logic and the simply-typed A- 
calculus has been known since the late 60s, establishing such isomorphisms for 
modal logics is a more recent development. In this paper we develop a suitable 
categorical semantics and associated A-calculus for CS4 and PLL. It should be 
mentioned that the results for PLL are not new (see [FM97] for the Kripke and 
[BBdP98] for categorical semantics for PLL). Our contribution here is to show 
how PLL is related to CS4 and how these known results for PLL can be de- 
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rived from those from CS4, or, to put it the other way round, how the known 
constructions for PLL may be generalised to CS4. 

2 The Constructive Modal Systems CS4 and PLL 

In this paper we take a fresh look at two prominent constructive modal exten- 
sions to intuitionistic propositional logic (IPL), which are particularly interesting 
because of their various applications in computer science. 

To give the reader a taste for these applications, we list a few. Davies and 
Pfenning [DP96] use the D-modality to give a A-calculus for computation in 
stages. The idea is that a term Ut represents a delayed computation. Ghani et al. 
[GdPR98] investigate refinements of this calculus which are suitable for the de- 
sign of abstract machines. Similar ideas relating □ with staged evaluation and the 
distinction between run-time and compile-time semantics have been developed 
by Moggi et.al. [BMTS99] . Despeyroux and Pfenning [DPS97] use a box modality 
to encode higher-order abstract syntax in theorem-provers like Elf and Isabelle. 
Still another use of the □ modality, to model the quote mechanism of Lisp, is 
proposed by Goubault-Larrecq [GL96] . A O-style modality has been extensively 
used to distinguish a computation from its result in the A-calculus: Moggi’s 
[Mog91] influential work on computational monads describes the computational 
A-calculus, which corresponds to an intuitionistic modal type theory with a O- 
like modality (see [BBdP98]). Fairtlough and Mendler [Men93,FMW97,Men00] 
use the same modality, which they call O, in their work on lax logic for constraints 
and hardware verification. The calculus has also been used for denotational se- 
mantics of exception handling mechanisms, continuations, etc. On the syntactic 
side, it has been used, in the monadic-style of functional programming to add a 
notion of ‘encapsulated state’ to functional languages. 

Despite their relevance for computer science these modal extensions of IPL 
seem to be less well investigated as modal logics in their own right, perhaps 
because of the “unusual properties” of their associated modal operators. 



2.1 Constructive S4 

The first modal system, which we call Gonstructive S4 (CS4), is a version of the 
intuitionistic S4 first introduced by Prawitz in his 1965 monograph [Pra65]. The 
Hilbert-style formulation of CS4 is obtained by extending IPL by a pair □, <> of 
S4-like intuitionistic modalities satisfying the axioms and the necessitation rule 
listed in Figure 1. The normal basis of CS4, i.e., consisting only of axioms UK 
and OAT plus the axiom -i<>T (which we reject, see below) has been introduced^ 
and motivated by Wijesekera [WiJ90] as a predecessor to constructive concurrent 
dynamic logic. The practical importance of CS4 as a type system for functional 
programming is evident from the literature, e.g. as cited in the beginning of this 
section, though most applications so far focus on the □ modality. The formal 

^ Wijesekera considers a first order system, to be precise. 
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OK 


□ (A B) ^ {aA -s- DB) 


OK 


□ (A^ B) {OA^ OB) 


DT 


□A -s- A 


OT 


OA 


□4 


□A DDA 


04 


OOA OA 


Nec 


If A is a theorem then DA is 


a theorem. 



Fig. 1. Hilbert-style system for Constructive S4 




role of O and its interaction with □ has recently been studied systematically by 
Pfenning and Davies [PDOl]. 

The natural deduction formulation of CS4 is subject to some controversy. We 
recall it in the style of Bierman and de Paiva [BdP96] . The naive introduction 
rule for □ (corresponding to the necessitation rule Nee) insists that all of the 
undischarged assumptions at the time of application are modal, i.e. they are all 
of the form OAi. However, the fundamental feature of natural deduction is that 
it is closed under substitution and this naive rule will not be closed under sub- 
stitution, i.e. substituting a correct derivation in another correct derivation will 
yield an incorrect one (if this substitution introduces non-modal assumptions). 
We conclude that Dx must be formulated as in Figure 2, where the substitutions 
are given explicitly. The same sort of problem arises in the rules for <>£ and the 
same solution (of explicit substitutions) can be used, see the rule Og in Figure 2. 

Both problems were first observed by Prawitz, who proposed a syntactically 
more complicated way of solving it [Pra65] . An interesting alternative approach 
has recently been presented by Pfenning and Davies [PDOl], which (essentially) 
involves two kinds of variables, and two kinds of substitution. Note that in 
our solution the discharging brackets are used in a slightly different way from 
traditional natural deduction. In the introduction rule for □ they mean, discharge 
all assumptions (which must be all boxed in this rule). 

The system CS4 is the weakest among the variants of intuitionistic S4 dis- 
cussed in the literature. In particular, it does not prove the distribution of the 
possibility operator over disjunction 0(A V H) — >■ OA V OB, nor does it assume 
-■OT, i.e., that possibly falsum (OT) and falsum (T) are equiprovable (which 
is the nullary form of the distribution) . This version of non-classical S4 without 
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distributivity of O over V is extremely well-behaved. As we will see there is a 
complete version of the Curry-Howard Isomorphism for it. 

2.2 Propositional Lax Logic 

The second constructive modal logic we consider is an extension of IPL that 
features a single modality O satisfying the axioms 

OT : A ^OA 

04 : OOA ^ OA 

OF : {A^ B) ^ OA^ OB. 

The third axiom is known (categorically) as ‘functorial strength’. This system is 
discussed under different names and in slightly differing but equivalent axiomatic 
presentations, such as Computational Logic [BBdP98] or Propositional Lax Logic 
(PLL) [FM97]. Henceforth we shall call it PLL. The natural deduction system 
contains the following rules for O ([Men93]): 



[^] 



B 



OA 



OB 



.{Os) 



OB 



PLL also has a colourful history. As a modal logic it was invented in the forties by 
Curry [Cur57] (who seems to have dropped it again because of its wild properties) 
and independently rediscovered in the nineties by Benton et al. and Fairtlough 
and Mendler, who used the symbol O for the modality, as the Curry-Howard 
isomorphic version of Moggi’s computational lambda-calculus. As an algebra the 
system PLL is well known in abstract topology. The operator O arises naturally 
as a (strong, or multiplicative) closure operator on the lattice of open sets, or 
more generally as a so-called nucleus in the theory of topoi and sheafification 
[Joh82]. From this topological perspective, Goldblatt studied a system identical 
to PLL accommodating Lawvere’s suggestion that the O modality means “it 
is locally the case that” by interpreting this in various ways to mean “at all 
nearby points” [Gol81,Gol93]. The algebraic properties of such operators (on 
complete Heyting algebras) have been explored by Macnab [Mac81], who calls 
them “modal operators”. 

In this paper we show how PLL can be naturally seen as a special CS4 theory 
or CS4 algebra in the sense that it can be obtained from CS4 by adding the axiom 
A — >■ OA. These results identify O as a constructive modality of possibility and 
provide a satisfactory explanation for why in PLL a modality □ is missing: it is 
implicitly built into the semantics already. 



3 Kripke Models 

Our first step is to develop a suitable Kripke model theory for CS4. While it 
is easy to agree that a Kripke model of constructive modal logic should con- 
sist of a set of worlds W and two accessibility relations, one intuitionistic < 
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and the other modal R, it is not so clear how these relations should interact 
(frame conditions) and just how they should be used to interpret specifically 
the O modality. The mainstream approach as exemplified by Ewald [Ewa86], 
Fischer-Servi [FS80], Plotkin and Stirling [PS86], Simpson [Sim94] is based on 
the analogy of □ with V and of O with 3-quantification over the modal acces- 
sibility R. Reading these quantifiers intuitionistically, relative to <, one arrives 
at the semantic interpretation w ^ OA iff Vw. w < v ^ Vm. v R u ^ u \= A for 
necessity, and 



w ^ <>A iff 3u. w R u fz u \= A (1) 

for possibility. Indeed, as the shown in the literature, this gives a fruitful basis 
for intuitionistic modal logics. Unfortunately, it is not suitable for CS4, since 
it forces the axiom 0(yl V R) — >■ (OA V OB) to hold, which we want to avoid. 
It also requires an extra frame condition to ensure hereditariness of truth, viz., 
that w ^ OA and w < v implies v ^ OA. Hereditariness, however, can also be 
achieved simply by V-quantifying over all <-successors in the interpretation of 
O: 



w ^ OA iff Vu. w < u ^ 3u. u R V fz V \= A. (2) 

Not only does this away with the extra frame condition to force O hereditary 
along <, it also eliminates the unwanted axiom 0(7l V R) — >■ (OH V OB). In 
fact, as it turns out this works for CS4. This interpretation (2) of O, as far 
as we are aware, has been introduced by Wijesekera [WiJ90] to capture non- 
deterministic computations and independently in [FM97] as an adequate Kripke 
interpretation of truth “up to constraints”. In both cases the absence of the 
axioms 0(H V H) — >■ (OH V OB) is a natural consequence of the semantics. 

Wijesekera only considered the normal base □K, OK of CS4, yet included the 
axiom -lOT. To eliminate the axiom -lOT we follow [FM97] in permitting explicit 
fallible worlds in our models. What remains, then, is to find suitable frame 
conditions on < and R that are characterised by the CS4 axioms DT, D4, OT, 04. 
These are incorporated into the following notion of CS4 model: 

Definition 1. H Kripke model of CS4 is a structure M = (IT, <,R, |=), where 
W is a non-empty set, < and R are reflexive and transitive binary relations 
on W, and |= a relation between elements w € W and propositions A, written 
w \= A {‘A satisfied at w in M”) such that: 

— < is hereditary with respect to propositional variables, that is, for every vari- 
able p and worlds w, w' , if w <w' and w \= p, then w' ^ p. 

— R and < are related as follows: if wRw' and w' < v then there exists v' such 
that w < v' and v'Rv. In other words: (i? ; <) C {< ; R). 

— The relation |= has the following properties: 

w^T; 

w \= A A B iff w \= A and w |= B; 
w \= AV B iff w \= A or w \= B; 
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w \= A ^ B iff 'iw' . w < w' ^ {w' \= w' \= B) 
w 1= OA iff Vw'. w < w' ^ Vu. w'Ru u\= A 
w 1= <>A iff Ww'. w <w' => 3u. w'Ru Au\= A 
Notice that we do not have the clause w -L; *-e., we allow inconsistent 
worlds. Instead, we have 

— if w \= 1. and w < w' , then w' ^ _L, and 

— if w \= J-, then for every propositional variable p, w \= p (to make sure that 
A ^ A is still valid). 

As usual, a formula A is true in a model M = {W,<,R, |=) if for every 
w G W, w \= A. We sometimes write M, w \= A when we want to make the 
model explicit. A formula A is valid A) if it is true in all models; a formula 
is satisfiable if there is a model and a consistent world where it is satisfied. A 
formula A is a logical consequence of a set of formulae F if for every M, w if 
M, w \= r, then M, w \= A. 

Observe that under the translation of intuitionistic logic into classical S4 
which introduces a modality □/ corresponding to the intuitionistic accessibility 
relation <, our modalities □ and O are translated as and □/ Om, respec- 

tively (where Dm and Om are modalities corresponding to R). This means that 
our variant of S4 does not fall directly in the scope of Wolter and Zakharyaschev’s 
analysis of intuitionistic modal logics as classical bimodal logics in [WZ97] since 
they assume O to be a normal modality. However, analogous techniques could 
probably be used to give a new proof of decidability and finite modal property 
of CS4 and PLL. 

Theorem 1. CS4 is sound and strongly complete with respect to the class of 
models defined above, that is, for every set of formulae F and formula A, we 
have F l~cS 4 A F \= A. 

We can use Theorem 1 to give a new soundness and completeness theorem 
for PLL. This is based on the observation that PLL models are a sub-class of CS4 
models: 

Definition 2. A Kripke model for PLL is a Kripke model for CS4 where R is 
hereditary, that is, for every formula A, if w \= A and wRv, then v \= A. 

The latter requirement corresponds to the strength axiom. It is in fact equiv- 
alent to the axiom A — >■ DA, so that □ becomes redundant in Kripke models 
for PLL. An alternative (slightly stronger) definition to the same effect given by 
Fairtlough and Mendler requires that i? is a subset of <. 

Theorem 2. PLL is sound and strongly complete with respect to the class of 
models defined above. 

Proof. Soundness of PLL follows from soundness of CS4 and the fact that PLL- 
models satisfy the axiom scheme A — >■ DA, which renders the strength OF axiom 
derivable from OK of CS4. 
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For completeness consider an arbitrary set F of PLL-formulas, and a PLL- 
formula B such that F I/pll B. Then, it is not difficult to see that F* l/cs 4 B 
where F* is the theory F extended by all instances of the scheme A — >■ OA. For 
otherwise, if F* FcS 4 B, we could transform this derivation into a derivation 
F FpLL B simply by dropping all occurrences of □ in any formula, which means 
that every use of a CS4-axiom becomes an application of a PLL-axiom, and any 
use of an axiom A — >■ OA or rule Nec becomes trivial. Note, this holds since if 
we drop all □ in a CS4 axiom, we get a PLL-axiom. By strong completeness of 
CS4 we conclude there exists a CS4- model M such that M \= F* but M ^ B. 
But then not only M \= F but also M validates all instances of A — >■ OA, which 
means that M is a PLL-model. 

4 Modal Algebras and Duality 

There is no unique ‘right’ Kripke semantics for a given system of modal logic. 
In general, the fit between modal (intuitionistic or classical) logics and Kripke 
structures is not perfect: apart from several versions of Kripke semantics for the 
same logic, which already seems suspect to category theorists, there are logics 
which are not complete for any Kripke semantics ([Fin74,Tho74]). Modal algebras 
have the definite advantage of fitting the logics much better. 

One can think of an algebra as a collection of syntactic objects, e.g. formulae 
of a logic. Representation theorems for algebras show how given an algebra one 
can build a ‘representation’ for it - a structure which is a ‘concrete’ set-theoretic 
object, e.g. a Kripke modeP. 

We define modal algebras corresponding to PLL and CS4 below and show how 
to construct representations for them. Since the modal algebras can be directly 
obtained from the respective categorical models, and modal algebras can be 
shown (see below) to be Stone-dually related to our Kripke models, we obtain 
an algebraic link (albeit a weak one) between Kripke models and categorical 
models for the two constructive modal systems considered. 

Recall that a Heyting algebra 77 is a structure of the form {A, <, x , -L, =>, 0) 
where 4 is a set of objects (one example would be formulae), < is a partial order 
(for formulae, a < b means ‘a implies b’), x is a product (which corresponds 
to A in intuitionistic logic), + a sum (corresponds to V), pseudocomplement 
(corresponds to — >■) and 0 the least element (T). 

We introduce two additional operators, corresponding to the modalities. Note 
that □ distributes over x, but O does not distribute over -L. 

Definition 3. A CS4-modal algebra A = {A, <, x , -L, =>, 0, □, O) consists of a 
Heyting algebra {A, <, x , -L, =>, 0) with two unary operators □ and O on A, such 
that for every a,b ^ A, 

□ (a X b) — Oa X Ob Da < a a < Oa 
Oa<0{a + b) Da < □□« OOa < Oa 

1 < □! Da X 06 < 0(Da X 6). 

^ More precisely, a general frame; see the discussion below. 
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Next, we identify the corresponding algebraic structure for PLL, which are also 
known, in a somewhat different axiomatisation, as “local algebras” [Gol76]: 

Definition 4. A PLL-modal algebra A = (A, <, x , +, =J>, 0, O) consists of a 
Heyting algebra (^, <, x,+,=>,0) with a unary operator O on A, such that for 
every a,b ^ A, 

Oa < 0(a + 6) a < Oa <>Oa < Oa a x Ob < 0{a x b). 

Obviously, every Kripke model M for CS4 or PLL gives rise to a corresponding 
modal algebra (take the set of all definable sets of possible worlds). 

Conversely, every modal algebra gives rise to a so-called general frame. A 
general frame is a structure which consists of a set of possible worlds W, two 
accessibility relations and a collection W of subsets of W which can serve as 
denotations of formulae. Intuitively, W should contain {w:w |= p} for every 
propositional variable p and be closed under intersection, union and operations 
which give the set of worlds satisfying Up {Oip) from the set of worlds satisfying 
ip. (For more background, see for example [Ben83].) 

Here, we will be somewhat sloppy and identify elements of the algebra with 
logical formulae straightaway. We assume that some subset P of A is arbitrarily 
designated as a set of propositional variables; x , -L, and 0 are interpreted as 
A, V, — >■ and _L. Then we can formulate the representation theorem for models 
instead of general frames: 

Theorem 3 (Representation for CS4). Let A be a CSA-modal algebra. Then 
the Stone representation of A, SR{A) = (VF*,i?*,<*, |=*) is a Kripke model for 
CS4, where 

1. W* is the set of all pairs (P, 0) where T Q A is a prime filter, and 0 C A 
an arbitrary set of elements such that for all finite, nonempty, choices of 
elements ci, . . . , c„ G 0, 0(ci -L • • • -L c„) ^ P. 

2. (p,0) <* (P',0') iff rc p'. 

3. (P, 0)R*{r', 0') iff ya. Ua e r ^ a e r' and 0 C 0'. 

4 . For all a & A, (P, 0) |=* a iff a G F . 

Let us call pairs (P, 0) with F,0 Q A consistent theories if for any, possibly 
empty, choice of elements b\, . . . ,bm F and any non-empty choice of elements 

Cl, . . . , c„ G 0, 61 X . . . X 6m ^ ^(ci -I h c„). Then, the worlds of SR{A) are 

simply the consistent theories (P, 0) where P is a prime filter. In the complete- 
ness proof we also need a slightly stronger notion of consistency as follows: For 
a G A, a theory (P, 0) is a-consistent if for any choice of elements b\, . . . ,bm in 
P and Cl, . . . , c„ G 0, 61 X . . . X 6m ^ (a + 0(ci -L • • • -L c„)). This includes the 
degenerate case n = 0 where we simply require 61 x . . . x 6m ^ a. 

The proof of our Stone Representation Theorem 3 relies on the following 
lemma. 

Lemma 1 (Saturation Lemma). Let a G A and (P, 0) an a-consistent the- 
ory in the CSA-algebra A. Then (P, 0) has a saturated a-consistent extension 
(P*,0), such that F* is a prime filter and F G_ R* . 
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We can now extract without extra effort a Stone Representation for PLL algebras 
from that for CS4 algebras, identical to the one implicit in the completeness proof 
given in Fairtlough and Mendler [FM97]. 

Theorem 4 (Representation for PLL). Let A he a PLL-modal algebra. Then 
the Stone representation of A, SR{A) = (LF*, i?*, <*, ^*) is a Kripke model 
for PLL, where W*, <*, are as above and {r,0)R*{r' ,0') iff R Q T' and 
0 C 0'. 

Proof. Observe that every PLL algebra A is at the same time a CS4 algebra 
A! where the operator □ is taken to be the identity function. Hence, we can 
construct its CS4 Stone representation SR(A') as in Theorem 3, which is a 
CS4 algebra. Now, what properties does the relation R* have in SR{A')1 Well, 

(A, 0 i)R* (r2,02) iff 

Va. Da G A => a G /2 and 6 >i C 6 * 2 . But since □ is the identity operator, this 
is the same as A C A and 0i C 6*2 as defined in Theorem 4. Observe further 
that R* is a subrelation of <*, which means that R* is hereditary. Thus, SR{A') 
is a PLL model. 

Section 6 introduces categorical models for CS4 and PLL. Observe that one 
can view categorical models as modal algebras where the partial order relation < 
is replaced by a collection of morphisms. Intuitively, (again thinking of objects as 
formulae) while a < 6 in an algebra means that b is implied by a, the category has 
possibly several morphisms from a to 6 labelled by encodings of corresponding 
derivations of b from a. 



5 Discussion on Kripke Semantics 

Since our Kripke semantics for CS4 is new it deserves some further justification 
and discussion, which we give in this section. 

First, how do our models relate to Wijesekera’s? Let us call the class of 
structures M = (IF, <,R, |=) with < reflexive and transitive but arbitrary R 
CK-models {i.e., drop the requirement that R is reflexive and transitive as well 
as the frame condition R;< C <;R), and further those in which for all worlds 
w ^ _L infallible CK models. Then, Wijesekera [Wij90] showed^ that the theory 
I PL + UK + <>K + -iO_L with the rules of Modus Ponens and Nee is sound and 
complete for the class of infallible CK models. The proof of Wijesekera can be 
modified to show that CK — IPL + UK + <>K is sound and complete for all CK 
models. Our CS4-models may then be seen as the special class of CK models 
characterised by the additional axioms OT, DT, 04, D4. 

Following [FM97] we permitted fallible worlds to render the formula -i<>_L in- 
valid. This makes CS4 different from traditional intuitionistic modal logics which 
invariably accept this axiom. Fallible worlds were used originally to provide an 

® Actually, Wijesekera also lists the axiom □AaO(A — >■ B) — >■ OB, but this is derivable 
already. 
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intuitionistic meta-theory for intuitionistic logic, e.g.,[TvD88,Dum77]. For intu- 
itionistic propositional logics, with a classical meta-theory, fallible worlds are 
redundant. However, this is no longer true for modal logics. There, the presence 
or absence of fallible worlds is reflected in the absence or presence of the theo- 
rem -iO_L. In particular note that in the standard classical setting, i.e., without 
fallible worlds and w ^ OA meaning 3u. w Rv & v \= A, the axiom -iO_L (as 
well as 0(H V H) — >■ <>A V <>B) is automatically validated. 

It is not only the fallible worlds but also the extension by sets 6>, capturing 
hereditary refutation information, that distinguishes the representation of con- 
structive modal logic, such as CS4, from that for standard intuitionistic modal 
logics, such as those of [PS86,FS80,Ewa86]. Indeed, if the axioms -iO_L and 
0((/)V — >■ 0(/)V are adopted the sets 0 and fallible worlds become redun- 

dant. Without these axioms, however, we also need the “negative” information 
in 0 to characterise truth at a world fully. It is also worthwhile to note that 
the model representation of Thm. 3 for CS4 is simpler than the one given by 
Wijesekera [Wij90] in the completeness proof for CK -f -iO_L. There, the 0 are 
(essentially) sets of sets of propositions, in which every element in 6* is a set of 
all possible future worlds for (T, 0) that are accessible through R*. This too, ex- 
presses negative information, though of a second-order nature. A quite different, 
but still second-order representation of CK models has been proposed by Hilken 
[Hil96]. As we have shown, however, the representation for CS4 can be done in 
a first-order fashion. 

Our constructive S4 models satisfy the inclusion R;< C <;i?, a frame condi- 
tion that is typically assumed in standard intuitionistic modal logic already for 
system IK. One may wonder about the converse <;R C R;< of this inclusion. 
One can show that in our models it generates the independent axiom scheme 
((□A — >■ OB) A n(A V OB)) — >■ OB, thus inducing a proper extension of CS4. 

As pointed out before, traditional intuitionistic modal logics such as those 
considered by Fischer-Servi [FS80] or Plotkin and Stirling [PS86] adopt a funda- 
mentally different interpretation of O, defining w ^ OA iff 3u. w R v v \= A. 
This enforces validity of 0(AV B) — >■ (OAV OB) but requires a frame condition 
<~^;R C R;<~^ (confluence of < and R) to make O hereditary along <. It is not 
surprising, then, that for our constructive modal models, where hereditariness is 
built in by the semantic interpretation, this frame condition obtains the axiom 
scheme 0(A V H) — >■ (OA V OB), again inducing a proper extension. 

We leave it as an open question if the above-mentioned axioms ((DA — >■ 
OB) A D(A V OB)) — >■ OB or 0(A V H) — >■ (OA V OB) are complete for the 
frame conditions <;R Q R;< or <~^;R Q respectively. At least for PLL 

[FM97] it is known that <~^;R C R;<~^ is completely captured by the axiom 
0(A V H) — >■ (OA V OB), and in [Wij90] this axiom is linked with sequentiality 
of R. 
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6 Categorical Models 

Categorical models distinguish between different proofs of the same formula. 
A category consists of objects, which model the propositional variables, and 
for every two objects A and B each morphism in the category from A to B, 
corresponds to a proof of B using A as hypothesis. 

Cartesian closed categories (with coproducts) are the categorical models for 
intuitionistic propositional logic. For a proper explanation the reader should con- 
sult Lambek and Scott [LS85]; Here we just outline the intuitions. Conjunction 
is modelled by cartesian products, a suitable generalisation of the products in 
Heyting algebras. The usual logical relationship between conjunction and impli- 
cation 

A A B — > C if and only if A — > (B -A C) 

is modelled by an adjunction and this defines categorically the implication con- 
nective. Thus we require that for any two objects B and C there is an object 
B ^ C such that there is a bijection between morphisms from A A B to C 
and morphisms from A to B ^ C. Disjunctions are modelled by coproducts, 
again a suitable generalisation of the sums of Heyting algebras. True and false 
are modelled by the empty product (called a terminal object) and co-product 
(the initial object), respectively. Finally negation, as traditional in constructive 
logic, is modelled as implication into falsum. A cartesian closed category (with 
coproducts) is sometimes shortened to a ccc (respectively a bi-ccc). Set, the 
category where the objects are sets and morphisms between sets are functions, 
is the standard example of a bi-cartesian closed category. 

To present a categorical model of constructive S4 we must add to a bi-ccc 
the structure needed to model the modalities. In previous work [BdP96] it was 
shown that to model the S4 necessity □ operator one needs a monoidal comonad. 
Such a monoidal comonad consists of an endofunctor □ : C — > C together with 
natural transformations Sa- FIA — >■ DDA and ca- FA — >■ A and mA,B- FA x 
OB — ^ 0(Axi?) and amap mi: 1 — >■ FI, satisfying some commuting conditions. 
These natural transformations model the axioms 4 and T together with the 
necessitation rule and the K axiom. 

Here we assume that the modal operator O is dually modelled by a monad 
with certain special characteristics: namely we want our monad to be strong with 
respect to the F operator, i.e. we assume a natural transformation stA,B- FA x 
<>B — >■ 0(DA X B) satisfying the conditions detailed in [Kob97]. The strength 
is needed to model the explicit substitution in the O^-rule. 

Definition 5. A CSA-category consists of a cartesian closed category C with 
coproducts, a monoidal comonad (F, e, m_^_, mi) where 0\C — > C and a O- 
strong monad [<>,p,,r]) where C:C — > C. 

The soundness theorem shows in detail how the categorical semantics models 
the modal logic. 

Theorem 5 (Soundness). Let C be any QSA- category. Then there is a canon- 
ical interpretation |_]] of CS4 in C such that 
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— a formula A is mapped to an object [[A]] of C; 

— a natural deduction proof ft of B using formulae Ai, . . . , A„ as hypotheses 
is mapped to a morphism [['!/>]] from [[AiJ x • • • x [[A„]] to |i?]; 

— each two natural deduction proofs (j) and ip of B using formulae Ai, . . . , An 
as hypotheses which are equal (modulo normalisation of proofs) are mapped 
to the same morphism, in other words |0] = [['(/>] . 

A trivial degenerate example of an CS4-category consists of taking any bi-ccc, 
say Set for example and considering the identity functor (both as a monoidal 
comonad and as monad) on it. Less trivial, but still degenerate models are 
Heyting algebras (the poset version of a bi-ccc) together with a closure and 
a co-closure operator. Non-degenerate models (but quite complicated ones) can 
be found in [GL96]. To prove categorical completeness we use a term model 
construction. 

Theorem 6 (Completeness). 

(i) There exists a CSA-category such that all morphisms are interpretations of 
natural deduction proofs. 

(a) If the interpretation of two natural deduction proofs is equal in all CS4- 
categories, then the two proofs are equal modulo proof-normalisation in 
natural deduction. 

A categorical model of PLL consists of a cartesian closed category with a 
strong monad. These models were in fact the original semantics for Moggi’s 
computational lambda-calculus and PLL can be seen as reverse engineering from 
that [BBdP98]. Hence we refrain from stating categorical soundness and com- 
pleteness for this system, but of course they hold as expected [Kob97]. 

In the logic, PLL arises as a special case of CS4 when we assume the deriv- 
ability of A ^ OA. A similar statement holds in category theory. We have 
an inclusion functor from the category of PLL-categories into the category of 
CS4-categories: each PLL-category is a CS4-category where the co-monad is the 
identity functor. Conversely, each CS4-category such that OA is isomorphic to 
A is a CS4-category. 

7 Conclusions 

This paper shows how traditional Kripke semantics for two systems of intu- 
itionistic modal logic, CS4 and PLL, can be related via duality theory to the 
categorical semantics of (natural deduction) proofs for these logics. The associ- 
ated notions of modal algebras serve as an intermediate reference point. From 
this point of view the results of this paper may be seen as presenting two kinds 
of representations for these modal algebras. 

The first representation explains the semantics of an element in the algebra 
in terms of sets of worlds and truth within Kripke models. To this end we have 
developed an appropriate class of Kripke models for CS4 and proved a Stone 
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representation theorem for it. As far as we are aware the model representation 
for CS4 is new. Its essential first-order character contrasts with the second order 
representations for the weaker system CK given by Wijesekera and Hilken. We 
have also shown how the canonical model construction of [FM97] for PLL follows 
from that for CS4 as a special case. Goldblatt [Gol76] proved a standard rep- 
resentation theorem for PLL algebras in terms of f7-frames, that only requires 
prime filters rather than pairs {r,0). However, Goldblatt’s work explains O as 
a constructive modality of necessity, which is an altogether different way to look 
at O. 

The contribution of this paper regarding PLL lies in showing that the modal- 
ity O of PLL is a constructive modality of possibility, in the sense that it can 
be obtained by adding to CS4 the axiom A — >■ OA. This is not the only way to 
derive PLL from CS4, but probably the most simple one so far proposed. Pfen- 
ning and Davies [PDOl] give a full and faithful syntactic embedding PLL ^ CS4 
that reads OA as ODA and A ^ B as OA — >■ B. Both possibilities can be used 
to generate different semantics for PLL from that of CS4. The embedding dis- 
cussed in this paper most closely reflects the notion of constraint models for PLL 
introduced in [FM97]. 

The second representation given in this paper explains the semantics of an 
element in the algebra in terms of provability in a natural deduction calculus. 
The representation theorem establishes a A-calculus and Gurry-Howard corre- 
spondence for CS4. In general, modal algebras can be extended to categorical 
models by adding information about proofs (replacing < of the algebra by the 
collection of morphisms of the category), but this process is not trivial. 

This extra information about proofs is crucial in applications of logic to model 
computational phenomena. While A terms (encodings of proofs in intuitionistic 
propositional logic) can be seen as semantic counterparts of functional programs, 
addition of modalities to intuitionistic propositional logic makes it possible to 
obtain more sophisticated semantics of programs reflecting such computational 
phenomena as, for example, non-termination, non-determinism, side effects, etc. 
[Mog91]. Information about proofs can also be necessary in other applications 
of logic to computer science, where not just the truth (or falsity) of a formula 
is important, but also the justiflcation (proof) of the claimed truth (see e.g. 
[Men93,FMW97,Men00]). One example we are considering is the verification of 
protocols. 

The results in this paper partially depend on having a natural deduction 
presentation of the logic following the standard Prawitz/Dummett pattern of 
logical connectives described by introduction and elimination rules. This is true 
for CS4 and for PLL, but not for weaker logics, for example for a modal logic 
where □ satisfies only the AT-axiom. Thus, our main challenge is to extend this 
work on categorical semantics to other modal logics. 

Next we would like to apply our techniques to constructive temporal logics. 
Another direction we would like to pursue is providing concrete mathematical 
models for CS4. Some such applications might be generated as generalisation of 
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our previous work on constraint verification in PLL. Meanwhile we shall continue 
our work on applications of constructive modal logics to programming. 
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Abstract. We develop a Labelled Natural Deduction framework for a 
certain class of interval logics. With emphasis on Signed Interval Logic 
we consider normalization properties and show that normal derivations 
satisfy a subformula property. 

We have encoded our framework in the generic theorem proving system 
Isabelle. The labelled formalism turns out very convenient for conducting 
proofs and seems much closer to informal “pen and paper” reasoning than 
other proof systems. We give an example which supports this claim. 

We also sketch how the results are applicable to (non-signed) interval 
logic and Duration Calculus. 



1 Introduction 

Interval logics (e.g. [9,17,4,16,12]) are modal logics of temporal intervals. Such 
logics have proven useful for the specification and verification of real-time and 
safety-critical systems. 

Signed Interval Logic (SIL) [12] was proposed as an extension of Interval 
Temporal Logic (ITL) [9] with the introduction of the notion of a direction of an 
interval. SIL includes (as ITL) only one interval modality but SIL is (contrary 
to ITL) capable of specifying liveness properties. Other interval logics capable of 
this (such as Neighbourhood Logic [16]) have more than one interval modality. 

The interval modality of ITL is the binary chop: A formula holds 

on an interval iff it can be split into two consecutive subintervals where (p and 
Ip holds, respectively. With chop of ITL one can only reach subintervals of the 
current interval, hence it is only possible to specify safety properties of a system. 
SIL only has the chop modality too but because of the intervals with directions 
(the signed intervals), it is possible to specify liveness properties as the two 
“sub” -intervals can now reach outside the current interval. Signed intervals are 
represented as pairs of elements from some temporal domain; (6, e) and (e, 6) 
represent the same interval but have opposite directions. Figure 1 illustrates the 
semantics of in SIL (note how the direction of an interval is indicated by an 
arrowhead). ITL includes a special symbol ^ which represents the length of an 
interval. SIL inherits this symbol from ITL; £ now gives the signed length of a 
signed interval. 

If ITL and SIL (and other interval logics alike) are to be used more widely 
it is very important to develop tools to help automate reasoning in these logics. 
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b 
b 

Fig. 1. holds on (fo, e) iff there is m such that <j) holds on {b, m) and tp on (m, e) 

In [13] a proposal for a sequent calculus proof system for SIL is given. This 
system has some nice properties and is encoded in Isabelle in a way such that 
a substantial amount of automation is supported. Despite this, some proofs are 
still tedious to perform as the way to the informal “pen and paper” level of 
abstraction seems fairly long. The present paper is an attempt to narrow this 
gap. It is inspired by work on Labelled Natural Deduction (LND) [15,3] which 
combines classical natural deduction [11,14] with labelled deductive systems [5]. 
The LND formalism has shown its worth for traditional modal logics [1,2]. 

The rest of this paper is organized as follows: In Section 2 we consider propo- 
sitional logics with a binary modality. These can be seen as the propositional 
basis for SIL and ITL. We consider LND systems for these logics and discuss 
normalization properties. Building on these results we then in Section 3 discuss 
results for the full SIL logic, including a LND system and normalization and 
subformula properties. In Section 4 we consider an encoding of the LND system 
for SIL in Isabelle. We give an example which supports our claim that a la- 
belled formalism is very convenient for conducting proofs and seems much closer 
to informal “pen and paper” reasoning than other proof systems. In Section 5 
we briefly sketch how such a labelled formalism is useful for ITL and Duration 
Calculus (DC) as well before concluding in Section 6. 

2 Logics with a Binary Modality 

In this section we consider propositional logics with a binary modality. We start 
by giving the definition of a logic C'~' with a binary modality [7)8]. Thereafter, 
we give a LND system for this class of logics and discuss normalization properties 
for such systems. 

Formulas (a, /3, 7 , . . . ) of C'~' are constructed from an infinite set of propo- 
sitional letters (p,q,r,...) and T (denoting falsity), using the usual Boolean 
operators (— >■, V, A and -■) and As we work with classical logic we will of- 
ten restrict attention to a (functionally complete) set of operators (primarily 
{— >-,T}, in which case ~<a is a — >■ T) for the propositional logic part. We will 
collectively refer to operators and modalities as connectives. Formulas with no 
connectives are called atomic. We adopt the following precedences: 1) 2) 

3) A, V and 4) — )■, -0-. 

For C'~' to be a logic with a binary modality it must [7,8] (at least) include 
the following: 1) All propositional tautologies and modus ponens. 2) Axioms 
saying that ^ distributes over V: 
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a'~'(/lV7) (a"/d)V(a^j) 

(aV/3)"j —> (a"j)V(/3"j) ’ 



and 3) the following monotonicity rules: 



M : 



a — >■ /? 

(a^7) (d'^7) 



CK — ^ P 
(7^a) ^ 



The minimal logic with a binary modality is the logic with a binary modality 
consisting only of the above axioms and rules. If we include necessitation rules: 

a a 



we call the logic normal. We can thus speak of the minimal normal logic with a 
binary modality. We will denote this specific logic Provability (derivabil- 

ity) in C'~' is defined the standard way. 

A model 371 for C'~' is a triple (>V,7^, V), where W is a non-empty set of 
(possible) worlds, 7^ is a ternary accessibility relation on W and V is a function 
mapping propositional letters to subsets of >V. The pair (>V, TZ) is called the 
frame of the model and we say that a model (W,7^, V) is based on the frame 
{yV,TZ). We define satisfaction of a formula a in a world w G W in a model 
371 = (W, TZ, V) (written 371, w ^ a) as follows: 



M,w ^ ± , 








371, w \= p 


iff 


w G V{p) 


5 


371, w \= a ^ P 


iff 


371, w a 


implies 371, w \= P 


371, w \= a'~'P 


iff 


371, V [= a 


and 371, u \= P and 



TZ{v, u, w) for some v,u €W . 



We say that a formula a is valid in a class of frames 5^ if for all frames F of U, 
for all models 371 based on F and for all worlds w of 37t, 37t, w \= a. 

If a is a theorem of 73 ((p we write Paf ct. It is easy to check that all axioms 
of £af are valid and that all inference rules of £af preserve validity in the class 
of all frames. In fact, we have a much stronger result [7,8]: £^p is characterized 
exactly by the class of all frames, viz. 

Theorem 1. ^af a iff \~af a , 

where ^af a denotes validity of a in the class of all frames. 



2.1 Labelled Natural Deduction 

A labelled formula is a pair of a possible world w € W and a formula a, writ- 
ten w : a. A relational formula is a triple of possible worlds v, u, w, written 
R{v,u,w). We let 77 denote an arbitrary labelled/relational formula. 



^ AF in 71 Jp is short for “All Frames” . The reason for this will be made clear below. 
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We define satisfaction of 77 in a model Tl = (W,7^, V) (written Ih 77 ) as 
follows: 



mfw-.E , 






971 Ih R{v, u, w) 


iff 


TZ{v,u,w) , 


971 Ih w : p 


iff 


w G V(p) , 


971 Ih w : a — >■ /3 


iff 


971 Ih ru : a implies 97t Ih ic : /3 , 


971 Ih ru : a'~'P 


iff 


971 Ih u : a and 971 Ih n : /3 and 
971 Ih R{v, u, w) for some v,u G W 



We say that a labelled formula w : a is valid in a class of frames ^ if for all 
frames F of 5^, for all models 9Jt based on F, Ih ru : a. 

It is clear that Tl\i^ w : a iS Tl,w \= a. Thus, if we let ILaf w : a denote 
validity of tc : a in the class of all frames we have 

Proposition 1. ^af ct ijf ILaf w : a . 

We define a LND system for in the style of [1,3]: 



[w : a] 



w : P 

w : a ^ P 



w : a ^ P w : a 
w : P 



[w : a — >■ -L] 
>E ^ 



FE 



[u : a] [u : P] [R{v, u, w)] 



V : a u ■. P R{v, u, w) 
w : a'^P 






w : a"' P 

w' : 7 



w' : 7 

^E 



In '~'E, V and u are different from both w,w' and each other, and do not 
occur in any assumption on which the upper occurrence of tc' : 7 depends except 
V : a,u : P and R{v, u, w). The rule EE can be regarded as an E(limination)-rule 
for T (hence the name) but when we henceforth collectively refer to E-rules this 
will not include EE. The major premise of an E-rule is the premise containing 
the connective being eliminated. A premise which is not major is called minor. 

When assumptions are closed (indicated by [•••]) by one of the rules — >■ /, 
EE or '^E, we will use a natural number to identify which rules close which 
assumptions. Assumptions which are not closed by any rule are called open. 

Definition 1. A (LND) derivation of a labelled formula w : a from a set of 
labelled formulas E and a set of relational formulas A in a logic L is a tree 
formed using the (LND) rules of C with w : a as root and where the leafs are 
either closed assumptions or open assumptions belonging to E or A. We will use 
LL to denote derivations. Provability and theoremhood are defined as usual. 

We write w : aii there is a proof of re : a in the LND system for Fap. 

In [3] a general soundness and completeness result concerning labelled propo- 
sitional logics with n-ary modalities is proved: 
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Theorem 2. II-af w : a iff w : a . 

If we are only interested in completeness with respect to the standard se- 
mantics we can prove it more directly: 

Proposition 2. ^af ct iff h^p w : a . 

Proof. Soundness is straightforward; using Proposition 1 we show that the LND 
rules preserve labelled validity.^ For the completeness part we utilize Theorem 1: 
We show that if Faf ch then Faf This can be shown by induction 

on the length of the proof of Faf cr which amounts to showing that all axioms 
are provable and that the rules preserve provability in the LND system. The 
propositional part is completely standard, hence we can restrict our attention to 
K, M and N. We here only show the latter case: 



[u : a — >■ -L]^ V : a 



[w : (a ^ -L)'~'/?l^ 



V : -L 
w : -L 



>E 



PE 



w : -L 

w : {a ^ P)'~'l3 -L 






This derivation is valid as F^p u : a for all u by the induction hypothesis. 



We can in particular assume F^p v : a. 



□ 



2.2 Normalization 

We now turn to consider normalization properties of the LND system for T^p. 

From the semantics we observe that is an existential O-like binary modal- 
ity. The normalization proofs get simpler if we instead consider an universal 
□-like binary modality We define by the following LND rules: 



[u : a][i?(i>, u, lu)] 

u : (3 
w ■. a p 



w : a j3 v:a R{v,u,w) 
u : j3 



where in v and u are different from both w and each other, and u does not 
occur in any assumption on which u : (3 depends other than R(v,u,w). 

We can show that _L, — is a functionally complete fragment for C'ffp by 
defining w : a'~' P iff w : and showing that the rules for ^ can be 

derived from those for Below we give the case for 

[ui : a'"(d — >■ -L)]^ v:a R{v,u,w) 



u : P ^ P 



"E 



u : P 



u : 
w 






_L 



PE 



(d — >■ -L) — >■ -L 



^ This is (not surprisingly) also the way soundness of Theorem 2 is proved in [3] . 
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We could similarly derive the rules for from those for In the following 
we will restrict attention to the _L, — >■, fragment. The size of a formula is the 

number of connectives in the formula. 



Proposition 3. For any derivation ofw : a in the LND system for there is 
a derivation ofw:a with the following restrictions on the FE rule: 1) The con- 
clusion is always atomic, and 2) there are no applications immediately following 
each other. 



Proof. 1) In the original derivation, pick out an application of EE where the 
conclusion has maximal size. If not atomic (in which case we are done), this 
conclusion will have form a — >■ /3 or a'~' j3. Below we only consider the latter 
case (the former follows analogously) . We replace the derivation with one where 
the conclusion of the affected EE has less size by the following transformation 
(denoted by '^) of part of the derivation tree (the rest of the derivation tree is 
unchanged) : 



[u : ^ -L] 



w : a /3]^[u : a]®[i?(u, u, w)]® ^ 

2 '"E 



u : j3 



[w : a ^ -L]^ 

n 

^ EE^ 
w : a p 



u : E 
w : E 



>E 



EE 



w : a 13 ^ E 

n 

v' -E , 
E EE^ 



P 



w : a“/3 



By induction it is now easy to see that repeated applications of this trans- 
formation yield the desired derivation. In the case of 2) we notice that if there is 
to be two EE rules immediately following each other the uppermost has to have 
conclusion v : _L (for some v). But then it is clearly superfluous and can thus be 
removed. □ 



Definition 2. A maximal formula in a derivation is a labelled formula which 
is both the conclusion of an introduction rule and the major premise of an elim- 
ination rule. A derivation is normal if it contains no maximal formulas, all 
applications of EE have atomic consequences and there are no applications of 
EE immediately following each other. 

An introduced labelled formula which is immediately eliminated does clearly 
not contribute to the derivation, hence a maximal formula can be removed by a 
transformation called a contraction step. Below we show the case of 

[v' : aY[R{v' ,u' ,w)Y 

n 

w : a“/3 V : a R{v, u, w) 






V : a R{v, u, w) 
n[v/v' , m/m'] 
u : (3 
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where U[v /v' ,u/u'] is obtained from II by systematically substituting v for v' 
and u for u', with a suitable renaming of the variables to avoid clashes. 

Repeated applications of such contractions steps, together with Proposition 3, 
yields the following. 

Theorem 3. Any derivation can he transformed into a normal derivation. 



Definition 3. A track in a derivation U is a sequence of labelled formulas Wi : 
ai,W 2 ■ U 2 , ■ ■ ■ , Wn ■ Oin where w\ \ a\ is a leaf and for 1 < i < n, Wi+i : Oi+i 
is immediately below Wi : and Wi : ai is not the minor premise of a ^ E or 

'~'E rule. A track of order 0 ends in the root of II; a track of order n + 1 ends 
in the minor premise of an E-rule with major premise belonging to a track of 
order n. 

The above definition of a track is an extension of that of [11] (we use the ter- 
minology of [14]) for propositional logic to The key observation is that the 
structure of the rules — >■/ and -^E is similar to that of '~'I and ~'E, respectively 
(disregarding judgments concerning the accessibility relation R). 

Proposition 4. Let wi : a\,W 2 ■ « 2 j • ■ • j Wn : an be a track in a normal deriva- 
tion. There is a minimal formula Oi such that 1) Wj : aj (j < i) is a major 
premise of an E-rule and aj is a superformula of aj+i, 2) Wi : at (i ^ n) is a 
premise of an I-rule or EE, and 3) Wj \ a j (i < j < n) is a premise of an I-rule 
and aj is a subformula of aj+\. 

Proof. As the derivation is normal, in the track, an E-rule cannot follow an 
I-rule (there are no maximal formulas) and it cannot follow a EE rule (the 
consequence is atomic). The EE rule cannot follow an I-rule as the premise is 
_L and by normality there will thus at most be one EE rule. □ 



Definition 4. Consider a derivation II of w : a from E and A. Let S = {a} U 
{7 I M : 7 G T for some u}. II is said to have the subformula property if for any 
labelled formula v : j3 in II , 1) (3 is E, 2) (3 is a subformula of some formula in 
S, or 3) (3 is ->j3' and j3' is a subformula of some formula in S. 



Theorem 4. Any normal derivation satisfies the subformula property. 

Proof. We start by observing that any formula in a derivation belongs to some 
track : ai,W 2 ■ 0 : 2 , ... ,Wn ■ oin. By Proposition 4, all (1 < i < n) are 
subformulas of either a\ or o;„. By induction on the order of the track we now 
conclude that any formula in a normal derivation will be a subformula of either 
the root or a leaf. Consider a closed assumption: If it is closed by one of the 
I-rules it will be a subformula of the conclusion of that I-rule. If it is closed by 
EE it will have the form -i/3 and (3 will be the conclusion of that EE rule. □ 
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3 Labelled Signed Interval Logic 

In this section we develop a LND system for SIL. This is done in steps where we 
first extend to first order logic, then to so called 5'-models and finally to the 
full system for SIL. We conclude by considering normalization and subformula 
properties as for £af- 



3.1 First Order Logic with Equality 

In this section we extend the LND system for to include first order logic 
with equality. We therefore, in a standard way, extend the syntax to include 
predicate and function symbols, variables and quantifiers. We will use x,y,z, . . . 
for variables, s,t,u, . . . for terms and . . . for formulas.^ We only consider 

constant domains of individuals but we want to distinguish between rigid and 
flexible symbols; rigid symbols have the same meaning in all worlds whereas 
the meaning of flexible terms can vary. In the presence of flexible symbols it is 
necessary to put extra side conditions on quantifier and equality rules to retain 
soundness. For this we introduce two new judgments, ri(s) and stating, 

respectively, that s is a rigid term and that </> is a chop-free formula. A chop- 
free formula is a formula which does not contain any modalities (in particular, 
neither nor ""). We will also have to consider rigid formulas; we overload the 
ri judgment to state this: ri((()). Rigidity and chop-freeness is straightforwardly 
inductively defined over the structure of terms and formulas. For example: 

[ri(x)] 

cf(<;i) ci{tp) cf(</-Ai/>) ^ ^ ri(s) ri(t) ^ ri(0) 

— cfAJ j7 — — ctAE -w-r cL4 — — ri = 7 riV7 



where cfA has the side condition that </> must be atomic. It should be clear how I- 
and E-rules are defined for the remaining connectives in the case of both rigidity 
and chop-freeness. We can now give the LND rules for the quantifiers:"* 

[ri(x)] 



w:<f) ri(t) cf(<^) 

VJ ;r, / 1 v£/ri ,r, / ^ 



w : (yx)(j> 



w : 0[t/a;] ri(t) 
w : (3x)(j> 



w : (j>[t/x] 



w : 



37ri 



w : (l>[t/x] cf(i^) w : (3x)4> 

37cf 



[w : 0][ri(x)] 
V : ij) 



w : 



V : rp 



3E 



® We use . . for formulas (instead ol a, j3, . . .) to emphasis the move from propo- 
sitional to first order logic. 

Note that the form of these rules ensure that variables always act as rigid. 
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In V/, X is not free in any assumption on which (j) depends except ri(x). In 
X is not free in ip nor in any assumption on which depends except (j) and 
ri(x). As known from classical logic, the rules for 3 are derivable from those for 
V (this still holds for the above modified rules). Thus, we can restrict attention 
to V in the following. 

Equality rules and a structural rule for rigid formulas can now be defined. 

w : 0[s/a;] w : s = t ri(s) ri(t) 

IT,/ 1 Substri Rpfl 

w : cp[t/x\ w : s = s 



w : <j}[^/x\ w : s = t 
w : 0[t/x] 



cf(0) 



Substcf 



V : 4> r\{4>) 

w : 4> 



R 



A contraction step for V can be defined and Theorem 3 can be modified 
accordingly. Also Definition 3 can be extended to include the case for V. The 
method of the proof of 1) in Proposition 3 can be repeated to prove the following. 

Lemma 1. The rules Substn and Substcf can can he restricted to applications 
where <j) is atomic. 

To end this section, we will briefly consider the structure of derivations in- 
volving the rules for ri/cf: We observe that the derivation of a labelled formula 
might depend on the ri/cf rules whereas derivations of ri/cf judgments never de- 
pend on labelled formulas or each other; thus, the derivation tree can be seen as 
“decorated” with independent derivations of ri/cf judgments. Because the rules 
for ri/cf have a very simple form we can, in these cases, easily define normal 
derivations which will satisfy a subformula property and furthermore be unique. 



3.2 5'-Models 

The semantics for can be extended in the obvious way to include first 
order models. Here we restrict attention to so called S -models. These are first 
order models which include the flexible symbol £ and have a certain uniqueness 
constraint on worlds. The Hilbert system for can be extended to a first 
order logic version as well, and adding certain axioms gives the following result: 
^5 (/) iff l“s />. We will here not go into further details but refer to [4,12]. 
Based on the standard semantics we can straightforwardly define a corresponding 
labelled semantics (as for £)(p) and prove: \=$ <t> iff 'UJ '■ 4>- 

We now define a LND system for S. This includes the rules of first 
order logic with equality and the following two rules: 

u' : (p v:i = s v' : £ = s R{v,u,w) R{v',u',w) ri(s) 

7 5*1 

u : (p 

v' : (p u:£ = s u' : £ = s R{v,u,w) R{v',u',w) ri(s) 



In the same way as Proposition 2 we can prove: 
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Proposition 5. (j) iff w : (f> . 

3.3 Signed Interval Logic 

We now further restrict S'-models so as to obtain SIL-models. The prominent 
feature of SIL-models is that the worlds of W are pairs of elements taken from a 
temporal domain T, and TZ = {((i, k), (i,j)) \ i,j, k G T}. Note, how this 

means that the worlds are signed intervals as discussed in the introduction, and 
how TZ gives a formal definition of the semantics of as illustrated in Figure 1. 
Besides this, £ is interpreted by a certain measure and we require the domain 
of individuals to have the structure of an Abelian group. We further extend 
the Hilbert system for S with suitable axioms and we get: |=sil (t> iff bsiL </> 
[12]. Also as for S, we can define a labelled semantics for SIL and show: ^sil 
(j) iff IhsiL W : (j). 

We now turn to a LND system for SIL. We start out by observing that because 
of the special structure of worlds and the accessibility relation we do not have to 
explicitly include the R judgment in the rules but can make it implicit. In the 
case of E we e.g. have (and similarly for the other rules): 

{i,j) ■. 4rip _ 

(kj) : 

We can now define the LND system for SIL as that for S with the addition 
of the following rules: 

£0 ■■£ = t] [ri(t)] 

[i,i) : £ = 0 i(j, k) : £ = s] [ri(s)j 

{i,k):£ = s {k,j):£ = t ri(s) ri(t) {i,j):£ = s + t (m,n) : ip 

{i,j) ■■ £ = s + t (m, n) : ip 

and four axioms (i.e. rules with no premises) defining the properties of an Abelian 
group:^ (i,j) : s -|- (t -b m) = {s + t) + u, (i,j) : s -b 0 = s, (i,j) : s H — s = 0 and 
(z,j) : s + t = t + s. In £+E, k is different from and does not occur 

in any assumption on which the upper occurrence of (m, n) : (p depends except 
(z, k) : 4> and (fc, j) : ■!/). 

Extending Proposition 5 we can prove: 

Theorem 5. ^SIl </> iff w: (j) . 

Lemma 2. The rules R, SI and S2 can he restricted to applications where <j) is 
atomic. 

This lemma is proven in the same way as Lemma 1 but notice that it does not 
hold for general accessibility relations as TZ has to be total (which in particular 

® Formally, this requires the definition of a derivation to be extended to the cases 
where leaves can be axioms as well. 
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is the case for SIL-models) . Furthermore, by inspecting the completeness proof 
for Labelled SIL (Theorem 5) we derive the following lemma: 

Lemma 3. The rule £+E can he restricted to applications where ip is _L. 

3.4 Normalization 

In this section we consider normalization properties of the LND system for SIL. 

We extend the definition of a normal derivation (Definition 2) to include the 
requirements that applications of the rules Substri, Substcf, R, SI and S2 are 
on atomic formulas only, and that applications of £ + E are on _L only. By the 
Lemmas 1, 2 and 3 we have that Theorem 3 is valid for the full SIL system too. 

Unfortunately, we will not have as nice properties of tracks as those of Propo- 
sition 4. But because of the structure of normal derivations, tracks can still be 
divided in three parts: An elimination part, a part working on atomic formulas 
and/or T, and an introduction part. It is possible to go into more detail con- 
cerning the structure of the middle part - such as the ordering of the rules, the 
maximum number of certain rules, etc. - but we will for space reasons not do this 
here. The important thing is that a normal derivation as defined is enough to 
achieve a subformula property. First, though, we have to address what we mean 
by subformula in a first order logic with equality: We say that ^ is a subformula 
of 'tp[s/t] if is a subformula of ip, independently of t and s. In other words, we 
do not take the term level into account. Given this, if we extend the definition of 
the subformula property of a derivation (Definition 4) to include the case where 
a formula in the derivation is allowed to be an arbitrary atomic formula we can 
show the following: 

Theorem 6. Any normal derivation in the LND system for SIL satisfies the 
subformula property. 

Note that this result relies on the fact that with the above definition of the 
subformula property it is not a problem to add axioms to the system as long as 
they are atomic. This is in particular the case for the SIL system. 

4 Isabelle Encoding 

In this section we discuss and describe an encoding of Labelled SIL in Isabelle 
[10]. Below is a dump of (part of) the theory file for Isabelle/LSIL.® 

LSIL = Pure + 

types T o D 

classes term < logic 

arities T,o :: logic, D :: term 

default term 

consts 

LF :: "[T, T, o] => prop" ("(<_,_> : (_))" [6,6,5] 4) 



We have for space reasons omitted the definitions of some of the constants as well 
as their defining rules but otherwise the dump includes all necessary definitions. 
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RI 

CF 

True 



Ex 

len 

conv 

rules 

conji 

chopi 

chopE 

lenZero 

conv_def 

exIRI 

exE 

end 



’ a: : logic => prop 
o => prop 
o 

"[o, o] => o" 

"Co, o] => o" 

"[D, D] => o" 

" (D => o) => o" 

D 

o => o 



("(RI .)") 

("(CF 

(infixr 35) 
(infixr 38) 
(infixl 50) 
(binder "EX " 10) 



"[I <i,j>:P; <i,j>:Q I] ==> <i,j>:P&Q" 

"[I <i,k>:P; <k,j>:Q I] ==> <i,j>:P~Q" 

"[I <i,j>:P‘Q; ! !k. [I <i,k>:P; <k,j>:Q I] ==> <l,m>:R I] ==> <l,m>:R" 

"<i , i> : len=0" 

"conv(P) -- (EX X. (len=x) & ((len=0) & (len=x) ~P) '‘True) " 

"[I RI s; <i,j>:P(s) I] ==> <i,j>;(EX x. P(x))" 

"[I <i,j>:EX X. P(x); !!x. [I RI x; <i,j>:P(x) I] ==> <k,l>:R I] ==> <k,l>:R" 



Three types are defined: T (the temporal domain), o (formulas) and D (terms). 
Three judgments are defined (in Isabelle, judgments are coercions from the object 
level to truth values (the type prop) of the meta level): LF (labelled formulas), 
RI (note how the definition is polymorphic such that rigidity can be defined for 
both formulas and terms using the same judgment) and CF. To capture that 
atomic formulas are chop-free we simply introduce an axiom explicitly saying 
this for each predicate symbol we introduce in the logic. In the case of = we e.g. 
have CF (s=t). 

By comparing the rules of the theory file with the LND rules of the previous 
sections we see a convincing one-to-one correspondence. The only thing worth 
mentioning is how the side conditions concerning freeness of variables in assump- 
tions (as for 3E) and the non-occurrence of worlds in assumptions (as for ^ E) 
is handled in Isabelle: Both cases are neatly taken care of by meta quantification 
( ! ! ) as illustrated by exE and chopE. 



4.1 The Converse Modality 

In this section we will give an example of reasoning in Isabelle/LSIL. The ex- 
ample is concerned with properties of an unary modality definable in SIL, 
which “reverses” the direction of an interval: 

4>~^ = (3x)( (£ = x) A ( (£ = 0) A (£ = x)^(j) )^true ) . 

We would like to show the following properties of 

1) (</'"^)“^ ^ , 2) (0"i/’)"^ ^ ■ 

We have proven both theorems in Isabelle/LSIL. For this it was very conve- 
nient to first prove two derived rules: 

_i (bj) : 

We will discuss the proof of in some detail in the following. We start out 
by giving an informal “pen and paper” proof: We want to show (j, i) : (read: 
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holds on the signed interval under the assumption (i,j) : 4>. First, 

we notice that any interval has a length; assume the length of (j,i) is a, i.e., 
(j,i) : i = a. Thus, after expanding the definition of and instantiating the 
existential quantifier, we are left with proving (j, z) : ((£ = 0)A(t' = a)'^^)'^true. 
This can be illustrated as follows: 

true £ = 0 A {i = a)'~'(j) 




i.e., we have to find a k such that (k,i) : true and (j, k) : {£ = 0) A {£ = a)'~'(j). 
As true holds on any interval and £ = 0 only holds on point intervals we take k 
to be j and thus have to prove that (j,j) ■ {£ = a)^(j). We then need to find a 
m, viz. 




m j 



But (j, i) : £ = a and we are thus done as (z, j) : </> by assumption. 

We will now consider the proof of ~^I in Isabelle/LSIL. For this we will need 
two simple lemmas (easily derivable): 

val len_ex = "(<?i,?j> : EX x. len = x ==> <?i,?j> : ?P) ==> <?i,?j> : ?P" : thm 
val TrueGlob = "<?i,?j> ; True" : thm 

saying, respectively, that any interval has some length and that true holds on 
any interval. 

The following proof of ~^I is taken verbatim^ from an Isabelle session. We 
start by stating the goal (in the proof script, P is used for (j) and conv(P) is used 
for 

> Goalw [conv_def] "<i,j>:P ==> <j , i> : conv(P) " ; 

<i,j> : P ==> <j,i> : conv(P) 

1. <i,j> : P ==> <j,i> : EX x. len = x & (len = 0 & len = x ^ P) ^ True 

Isabelle responds with the goal to be proved and what subgoals are required 
to establish it. Note how the definition of conv is expanded as indicated in the 
statement of the goal (via [conv_def] ). We now apply (using br or be) a series 
of named rules to suitable subgoals, possibly solving subgoals by assumption 
(using ba): 

> br len_ex 1; 

1. [I <i,j> : P; <j,i> : EX x. len = x I] 

==> <j , i> : EX X. len = x & (len = 0 & len = x ~ P) ^ True 

> be exE 1 ; 

1. !!x. [| <i,j> : P; RI x; <j,i> : len = x I] 

==> < j , i> : EX X. len = x & (len = 0 & len = x ^ P) ^ True 

> be exIRI 1; 

1. !!x. [| <i,j> : P; <j,i> : len = x I] 

==> <j,i> : len = x & (len = 0 & len = x ^ P) ^ True 

^ With the omission of some diagnostic output and minor pretty-printing. 
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> br conji 1; 



1. ! 


!!x. [| 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<j , i> : len = 


= X 










2. ! 


MX. [| 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<j , i> : (len 


= 0 


& 


len 


- X 


~ P) ~ True 


> ba 


1; 


























1. ! 


MX. [| 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<j , i> : (len 


= 0 


& 


len 


- X 


~ P) ~ True 


> br 


chop I : 


1; 
























1. ! 


!!x. [| 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<j,?k4(x)> : 


len 


= 


0 & 


len 


= X ‘ P 


2. ! 


MX. [| 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<?k4(x),i> : 


True 








> br 


TrueGlob 2; 
























1. ! 


Mx. [I 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<j,?k4(x)> : 


len 


= 


0 & 


len 


= X ‘ P 


> br 


conj I : 


1; 
























1. ! 


MX. [| 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<j,?k4(x)> : 


len 


= 


0 






2. ! 


Mx. [I 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<j,?k4(x)> : 


len 


= 


X 


P 




> br 


lenZero 1 ; 
























1. ! 


Mx. [I 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<j ,j> : len = 


= X ' 


• P 






> br 


chop I : 


1; 
























1. ! 


Mx. [I 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


<j,?k8(x)> : 


len 


= 


X 






2. ! 


Mx. [I 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


A 

00 

V 


P 










> ba 


1; 


























1. ! 


Mx. [I 


<i,j> : 


P; <j,i> : 


: len 


= 


X 


I] ==> 


A 

H- 

V 













> ba 1; 

No subgoals! 

Notice that the two schematic variables ?k4(x) and ?k8(x) correspond, respec- 
tively, to k and m in the “pen and paper” proof. 

We could in a similar way prove ~^E and the theorems 1) and 2) follow 
easily. It should be clear by the above example that the proofs in Isabelle/LSIL 
are very close to the abstraction level of “pen and paper” reasoning. 

It is interesting to compare the effort needed to prove I) and 2) in Is- 
abelle/LSIL with corresponding proofs in the sequent calculus for SIL described 
in [13]: The above proof is much shorter than the one in the sequent calculus; this 
despite the fact that some effort has been put into automating reasoning in the 
sequent calculus and no automation (so far) has been put into Isabelle/LSIL. To 
partly explain this very noticeable difference we make some observations: In the 
sequent calculus of [13] we cannot have derived rules such as ~^I as we cannot 
explicitly refer to intervals within the proof system (formulas are not labelled). 
Furthermore, we cannot reason “independently” of subintervals but have to “col- 
lapse” them by means of the axiom £ = s + t ^ (£= s)'~'(^ = t) and related 
techniques. This means that proofs get more complex in the sequent calculus of 
[13] as it is more difficult to modularize proofs and separate concerns. 

5 Labelled Duration Calculus 

So far we have concentrated on investigating a LND system for SIL. In this 
section we briefly sketch how a similar framework can be developed for ITL and 
DC. 

Semantically, ITL can be regarded as a restriction of SIL as only a subset 
of the signed intervals are allowed: The intervals where the end point is greater 
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than the beginning point. This intuition motivates the following LND rules for 
chop in ITL. 

[{k,j) :ip][ktZ j] 

[(*, k) : <j}] [i C k] 



{i,k):4> {k,j):ip iQk k^j {i, j) : {m,n) : (p 

Loosely speaking, by restricting the other rules of SIL in a similar way we 
will get a LND system for ITL. The relation C defines an ordering over the 
temporal domain and to reason with C we add rules defining its properties 
(such as transitivity). DC is an extension of ITL [6] and LND rules for DC can 
be added conservatively to the above system. An encoding of ITL and DC in 
Isabelle can be carried out along the very same lines as the one for SIL in the 
previous section. 

6 Conclusion 

We have developed a LND system for SIL and encoded it in Isabelle. 

From a theoretical viewpoint the main result of the paper is the theorem 
stating that normal derivations in the LND system satisfy a subformula property. 

From a pragmatic viewpoint we feel that our example of reasoning in Is- 
abelle/LSIL convincingly conveys the benefits of using a labelled framework. 

By sketching how the framework can be modified for ITL and DC we have 
also indicated how the ideas of the paper have a broader applicability. 
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Abstract. In this paper, we introduce decidable multimodal logics to 
describe and reason about navigation across object structures. The start- 
ing point of these navigation logics is the modelling of object structures 
as Kripke models that contain a family of deterministic accessibility re- 
lations; one for each pointer attribute. These pointer attributes are used 
in the logics both as first-order terms in equalities and as modal opera- 
tors. To handle the ambiguities of pointer attributes the logics also cover 
a mechanism to bind logical variables to objects that are reachable by 
a pointer. The main result of this paper is a tableau construction for 
deciding the validity of formulas in the navigation logics. 



1 Introduction 

In describing structures of objects, we distinguish two main levels of abstraction. 
First, there is the modelling level as specified by the Unified Modelling Language 
(uml) [10]. At this level, in uml, a structure of objects is described in terms of 
a diagram consisting of classes that are related to each other via associations. 
Consider for instance the diagram depicted in Figure 1, which covers a class 
Person that is related to a class Book via the association Author and a class 
Company that is related to the class Book via the association Publisher. As 
indicated in the diagram, the multiplicity of these associations Author and Book 
is one-to-many. 




Fig. 1. A class diagram at the modelling level 



Second, we distinguish the implementation level, which describes the execu- 
tion of an object-oriented programming language, like for instance JAVA, directly 
in terms of the class instances. At this level, the associations of the high-level 
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class diagram are implemented by means of pointer attributes and collection 
objects like sets, sequences, enumerations and bags that act as multiplexers. 
Consider for example the object structure in Figure 2 , which depicts an instance 
p of the class Person, instances bi, 62 and 63 of the class Book, instances ci 
and C2 of the class Company, and multiplexers toi, m2 and m3. Persons have 
a pointer named AuthorOf to a multiplexer, multiplexers have pointers named 
item{l), item{ 2 ), item{ 3 ) etc. to books, books have a pointer AuthoredBy to a 
person and a pointer PublishedBy to a company, and companies have a pointer 
PublisherOf to a multiplexer. 




Fig. 2. An object structure at the implementation level 



A central concept for the description of object structures at both the mod- 
elling and implementation level is navigation [ 7 ]. The main problem addressed 
in this paper, is a logical description of navigation at the implementation level, 
which denotes the operation of successively following pointers across an ob- 
ject structure. A crucial property of navigation is reachability, i.e., the question 
whether starting at an object it is possible to reach another object by navigation. 
For instance, in the object structure of Figure 2 , person p is the author of a book 
that is published by company C2. In terms of navigation this means that it is 
possible to reach C2 from p by navigating the attributes AuthorOf, item{ 3 ) and 
PublishedBy . Conversely, company C2 is the publisher of a book that is authored 
by p. However, it is not possible to reach p from C2 by navigation because there is 
no pointer from 63 to p. This could indicate an error in the programming code. 

Standard first-order logic, which allows only quantification over objects, is 
not expressive enough to describe reachability in a network of objects. Moreover, 
the validity problem for first-order logic is undecidable. Standard modal logics [ 9 ] 
are suited to navigate through Kripke models, but although they are decidable, 
they also lack expressive power because they do not distinguish between bisimilar 
Kripke models, such as for instance between a loop and its infinite unfolding. 

Over the last decade, a new family of modal logics has come up, which 
combine modal operators with first-order variable-binding mechanisms. These 
languages are referred to as the family of hybrid logics [ 2 ] . In contrast to standard 
first-order modal logic [6], these logics cover mechanisms to bind variables to the 
worlds of a Kripke model. In particular, in [ 5 ], a general logical framework is 
presented that extends the navigation mechanism of standard modal logic with 
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a variable-binding mechanism that allows the binding of variables to worlds that 
are in the domain of the current world, like for instance the worlds that are 
accessible. 

The starting point of the navigation logics presented in this paper is the 
modelling of object structures at the implementation level as Kripke models 
that contain a family of deterministic accessibility relations; one for each pointer 
attribute. Additionally, we introduce a variable-binding mechanism along the 
lines of [5] that allows the binding of logical variables to objects that are reachable 
by a pointer. These pointer attributes can be used in the logic both as first-order 
terms in equalities and as modal operators. The main result of the paper is a 
tableau construction for deciding the validity of formulas in the navigation logics. 

The plan of the paper is as follows. In Section 2, we define the syntax of 
the basic navigation logic. The semantics of this logic is developed in Section 3. 
Additionally, in Section 4, we present a tableau construction for deciding the 
validity of formulas in the basic navigation logic. In the subsequent section, we 
discuss two decidable extensions of the basic navigation logic; viz. an extension 
that includes a collection of jump operators and an extension that covers naviga- 
tion programs. Finally, in Section 6, we wrap up by providing several directions 
for future research. 



2 Basic Navigation Logic 

In this section, we define the basic navigation logic. Let A = {Ai, . . . , A„} be 
a finite set of pointer attributes and C = {nil, self} be the set of constants. 
The constant nil is used to denote ‘undefined’ and the constant self to denote 
an object itself. Additionally, let Var be a set of variables with typical elements 
X, y, z. The set T = AUCU Var, with typical element t, denotes the set of terms. 
Finally, let P be a set of propositional atoms, with typical elements p, q and r. 

Definition 1. The basic navigation language Cq consists of formulas (p that are 
generated by the following BNF-grammar: 

(p::=p I (ti = fa) | \ TiV(fi2 \ {A)ip \ 3x=t{T) 

We have the usual abbreviations (p ^ tp for -upV-ip, p>\/\(p 2 for ~'{~'‘Pi'd -np 2 ) > 
and (p ^ Ip for Lp ^ ip /\tp ^ ip. 

In the language i pointer attributes can be used both as first-order terms in 
equalities and as modal operators for navigation, which are applied to formulas: 
A formula {A)(p expresses that (p holds for the object that results from following 
the pointer A. 

Different objects, and in particular different objects from the same class, can 
have attributes with the same name. To handle the ambiguities of these pointer 
attributes, i.e., in order to be able to compare the pointer attributes of different 
objects, the language covers a variable-binding mechanism: 3x=t{'p) denotes the 
formula (p in which the variable x is bound to the object denoted by the term t. 
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For instance, the formula 3x=a{B)^{x = A) expresses that the pointer attribute 
A of the current object and the pointer attribute A of the object that is reached 
by following the pointer B from the current object, have different denotations. 
This variable-binding mechanism is further illustrated in the example below. 




Fig. 3. Objects arranged in a ring structure 



Example 1. Consider the structure depicted in Figure 3 in which the objects are 
arranged in a ring. Each object has two pointers L and R to denote its left and 
its right neighbour, respectively. As an example, we have that each object is the 
left neighbour of its right neighbour; formally, for each object in the ring the 
formula 3x=seif{R){L = x) is true. Second, each object’s right neighbour is the 
same object as the left neighbour of the left neighbour of its left neighbour; that 
is, for each object the formula 3x=r{L){L){L = x) holds. 

The above example illustrates the difference with the variable-binding mech- 
anism of first-order logic, in which this form of binding can be modelled by 
substitution. That is, in first-order logic, the formula 3x=t{p) can be modelled 
by ip\t/x], which denotes the substitution of t for x in {p. If we would apply such 
substitution to the formula 3x=r{L){L){L = x) we obtain {L){L){L = R), which 
expresses that for the left neighbour of an object’s left neighbour it holds that 
the left neighbour and the right neighbour are the same. This does not hold for 
any of the objects in the above figure. 

Finally, as our primary concern is the development of a decidable naviga- 
tion logic, we only include the datatype of pointers. We assume a propositional 
encoding of information about the state of an object, which may include other 
datatypes like integers and booleans; e.g., the fact x < y, which expresses that 
the value of the integer variable x is less than the value of y, can be represented 
by a particular proposition p. 



3 Semantics 

In this section, we introduce the semantics of £q that is based on a formal descrip- 
tion of object structures in terms of Kripke models that contain a deterministic 
accessibility relation for each pointer attribute. 
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Definition 2. A Kripke model M is a triple where O denotes the set 

of objects, which form the states or worlds of the Kripke model, K is a total 
function of type 

K :0^ {A ^O) 

and TT is a valuation function of type 

IT : O ^ p{V). 

We assume an element _L G O that stands for ‘undefined’, i.e., the value of 
nil. The function K defines the accessibility relations of the model; that is, for 
each object o and attribute A, we have that K{o){A) denotes the object that is 
accessible from o by following the pointer A. Moreover, if K{o){A) = _L then A is 
called a nil pointer. Additionally, the function tt constitutes a valuation function 
that maps each world o to the set of propositions that are true in it. 

Definition 3. Given a model M = {0 ,K,tt), a state o € O and an assignment 
function s : Var — >■ O, the interpretation |t]M,o,s of a term t € T is defined by: 

M,o,s ~ -L 

lselflM,o,s = O 
IAIm,o,s = K{o){A) 

Ix}m,o,s = S{x) 

Additionally, the truth definition M, o,s \= ip for the language £q is induc- 
tively given as follows: 

Nl, O, S 1= (ti = ^ 2 ) ~ |^21m,o,s 

M, 0,S \= p p € 7t(o) 

M, o, s 1= (pi V (p 2 M, o, s 1= (pi or M, o, s |= p 2 

M, o, s 1= -!(/? M, o, s ^ 

M, o, s 1= {A)ip M, o', s\= p, where o' = K{o){A) yf _L 

M,o,s\= 3x=tiv) ^ M, o, s{x 0 '} ^ p, where o' = PIm.o.s 

where s{a; 1 — 0 '} denotes the function that behaves like s except for the input x 
for which it yields the output o' . 

We define M,o ^ p if for all assignments s it holds that M,o,s ^ p. 
Additionally, we have M \= p if M,o |= p holds for all objects o. Finally, |= p 
holds if M \= p for all Kripke models M. 

In standard modal logic with deterministic Kripke models, there is only a 
subtle difference between the interpretation of the possibility and the necessita- 
tion operator: The possibility operator requires exactly one accessible world to 
exist, while in the case of the necessitation operator it is required that at most 
one accessible world exists. Here, we have chosen for the possibility interpreta- 
tion of the navigation operator; the necessitation reading of the operator would 
be: 

M,o,s\=[A\p if o' = AT(o) (A) T then M, o', s 1= 
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Thus, the difference is that in the latter reading the formula is also true if 
there is no accessible state. Note that \= [A\i^ ^ {{A)(py A = nil). An alternative 
to dealing with nil pointers is to use a three-valued logic, which besides the 
truth values true and false includes a value for undefinedness, but this would 
unnecessarily complicate the technical treatment. Note that in the evaluation of 
we do allow t to be a nil pointer. 

Finally, we remark that in the evaluation of formulas, the roles of constants 
and variables are interchanged: The interpretation of variables remains constant 
during the evaluation of a formula, in other words, their interpretation is ‘frozen’, 
while the interpretation of constants varies with the current state of evaluation. 



4 Decidability of Basic Navigation Logic 



In this section, we show that the validity of formulas in Co can be decided by 
means of a semantic tableau procedure. 

Definition 4. Given a set O of objects, we construct a semantic tableau, which 
is a tree-like structure with nodes of the form o : F, where o G O \ {T} and 
FCCo. 

The construction of a tableau involves three types o/ branch extension rules, 
namely conjunctive rules, disjunctive rules and navigation rules. They are of the 
following general format, respectively: 



o: A, if 



o: A, ip 



o: r 



o: A, r o: A, r \ o: A, F' 

The rules are as follows (we omit the context A C 

o : ^{ipi V ip 2 ) o ■■ ^x=tT o : -x^x=t{T) 
o -'ipi, ->ip2 o : X = t, ip o : X = t, -'ip 



o' : F' 



^ip 



o : ip 



O IfiM ip2 



o : -<{A)ip 



o : ipi \ o : ip 2 o : {A)-np \ o : A = nil 



o-.F ^ o' -.Fa 

where Fa = {ip \ {A)p G F} and o' is a fresh label. 

Given an input formula p G Cq, the construction of the tableau for p then 
proceeds as follows: 

(0) Start with an initial tree consisting of the root node o : p. 

(1) If a conjunctive or disjunctive rule is applicable then apply it and goto (1), 
else goto (2) 

(2) If the navigation rule is applicable then apply it once for each attribute A 
that occurs in F such that Fa is non-empty and goto (1), else terminate. 
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The construction of the tableau always terminates. Formally, this can be 
shown by a straightforward induction on the length of the input formula (p. 

Before considering the soundness and completeness of the tableau construc- 
tion, let us briefly sketch how a model can be extracted from a tableau. A tableau 
consists of a number of branches; the branches with a consistent theory can be 
used in the model construction. The theory of a branch is given by the set of 
literals that occur on it, but as the interpretation of these literals is relative to 
the nodes of the branch, we need to replace them by absolute literals whose 
interpretation is node-independent. A model is then obtained from a consistent 
branch by identifying the nodes that are expressed to be equal in the theory; 
in other words, each world of the model represents an equivalence class of iden- 
tified nodes. Although the branch is a tree structure, the corresponding model 
may contain cycles due to these identifications. Finally, the accessibility relation 
and the valuation function of the model can be extracted from the branch in a 
straightforward manner. 

The remainder of this section is devoted to an outline of the soundness and 
completeness proofs of the above semantic tableau method. From now on, we fix 
O, with T € O, to be the set of objects used in the tableau construction. 

First, we give a definition of terms and propositions, so-called absolute terms 
and absolute propositions, whose evaluation does not depend on the current 
object. 

Definition 5. The setTabs o/ absolute terms and the setVabs 0 / absolute propo- 
sitions are given by: 

Tabs = Vdf U O U {o.A \ o € O, A G A} 

Tabs = {o.p \ oGO, p GT} 

An absolute literal is an (in) equation between terms of Tabs or (the negation 
of) an absolute proposition of Tabs- 

Next, we define the interpretation of absolute terms and propositions. 

Definition 6. Given a Kripke model M = {0',K,ti), a corresponding assign- 
ment s, and a strict (with respect to the respective bottom elements A G O and 
A' G O') mapping 0 G O ^ O' , we define the interpretation PJm.s.s of an 
absolute term t as follows: 



Ix}m,s,0 = s{x) 

IoJm.s.S = d(o) 

Io.A]m,s,0 = K(d(o))(A) 

Additionally, for all t\,t 2 G Tabs and o.p G Tabs we define: 



M,S,9 \= {ti = t2) pl]M,s,e = |t2lM,s,e 
M,s,9\=o.p p G tt{ 9 {o)) 
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Note that the strictness of 9 yields |_L]m,s,0 = -L^ 

The following definition associates with each o G 0 \ {_L} an operation that 
transforms a term t G T into a corresponding absolute term. 

Definition 7. For each term t gT and object o G 0 \ {_L} we define the term 
t° G Tabs by: 

nil° = _L 
self° = o 
A° = o.A 

X° = X 

The following lemma states some truth-preserving properties of this operation. 

Lemma 1. For every model M = {0',K,tt), corresponding variable assignment 
s, and strict mapping 9 G O ^ O' we that have for every term t G T: 

\i\Mfi(o),s = P°]M,s,e 

Similarly, for every equality (ti = ^2) G ^0 every proposition p G V we 
have: 

M, 9 {o),s h (fi = t2) iff M,s, 9 \= ftl = ff) 

M, 9 {o),s'^p iff M,s ,9 \= o.p 

Next, we define the deductive closure of a set of absolute literals. 

Definition 8. For each set F of absolute literals, its deductive closure Clos{F) 
is defined to be the smallest set that contains F and that is closed under the 
following rules: 

— ft = t) G Clos{F), for every term t occurring in F 

— if fti = t^) G Clos{F) then fl2 = ti) G Clos{F) 

— if {ti = t^), {t2 = h) G Clos{F) then {ti = T) G Clos{F) 

— if ti = t2, 'p G Clos{F) then p[t2/ti\ G Clos{F) 

It is not difficult to see that if T is a finite set of absolute literals then Clos{F) 
is also finite. 

A branch T of a semantic tableau is a substructure that contains the root 
node and that for each application of a conjunctive rule contains its child, for 
each application of a disjunctive rule contains precisely one of its children, and 
for each application of the navigation rule contains all its children. The theory 
of a tableau branch as a deductively closed set of absolute literals, is introduced 
in the following definition. 

Definition 9. The theory of a branch T is given by Th{T) = Clos{F), 
where F = {o.p | o : p G T} U {“■o.p | o : -■p G T} U 

{t° = I o : fti = t2) G T} U {-'(ti = tg) I o : -■(ti = ^2) G T} U 

{o.A = o' I 0^0' G T} U 

Ho=T) |oGT}. 
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(When we write o : f G T we mean that there exists a node o : A,(p inT, for 

some set of formulas A. Additionally, by o — > o' G T we mean that in T there 
exists an A-link from a node labelled by o to one labelled by o'.) 

It is worthwhile to observe that Th{T) is a finite set of absolute literals. Next, 
we define when a tableau branch is closed, that is, does not give rise to a model. 

Definition 10. A branch T is called closed if Th(T) is inconsistent (i.e., con- 
tains both a literal and its negation). IfT is not closed it is called open. 

In the following definition, we introduce the notion of a homomorphic map- 
ping of a branch of a semantic tableau into a Kripke model. 

Definition 11. A strict mapping 6 : O ^ O' is a homomorphic mapping of a 
branch T of a tableau into a model M = {O' ,K,tt) with respect to a variable 
assignment s if the following hold: 

— ifo^o'GT then K{0{o)){A) = 0{o') 

— if o : ip G T then M, 0{o), s'^ ip 

Finally, we are in a position to state and prove the soundness of the tableau 
method. 

Theorem 1. For all ip G Lq, if ip is satisfiable then its tableau has an open 
branch. 

Proof. Without loss of generality we may assume that in ip each variable x is 
bound at most once and does not occur both free and bound. Let M = {O' 
be a model and s a variable assignment such that M, o' , s \= p, for some o' . For 
an inductive argument, suppose we have constructed a variable assignment s 
and a corresponding homomorphic mapping 0:0^0' into M of all the nodes 
of a branch of the tableau of p which occur at a depth smaller than some n > 0. 
We consider the following two main extensions. 

— The branch with node o : A,3x=t{'f’) at level n is extended with o : A,x = 
t, 4>. From the existence of the homomorphism 0 we derive that M, 0{o), s ^ 
^x=t{'f')- Using the truth definition we obtain M,0{o),s{x i— o'} \= if for 
o' = W/f,e(o),s- Thus, we have M,0{o),s{x !->■ o'} \={x = t)Aif. It follows 
by the above assumption on p that x does not occur (free) in any formula 
occurring in the tableau other than ip. So we have that 0 is also a homomor- 
phism into M with respect to the variable assignment s{x i— >■ o'} and which 
now includes also the node o : A,x = t,ip. 

— A node o : F G T on this branch at level n is A-linked to a new node 
o' : Fa, for some attribute A. From the assumption M,0{o),s |= F we 
derive M,o",s \= Fa for o" = K{0{o)){A) ^ _L. So, we can extend 0 to a 
homomorphism 0{o' i— o"| which includes the new node o' : Fa. 

Via Lemma 1 and the construction of the homomorphism 0 we derive M, s, 
0 ^ Th{T), for some branch T. From this it follows that Th{T) is consistent, 
i.e., that T is an open branch. □ 
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To prove completeness we first show how to construct a model from an open 
branch. 

Definition 12. Given an open branch T, we define the Kripke model Mt = 
(O', K, 7t) as follows: 

— The underlying set O' of worlds consists of the equivalence classes: 

[t] = {t'\{t = t')GTh{T)}, 

where t, t' € Tabs \ Var. The equivalence class [_L] plays the role of bottom in 
O'. 

— The accessibility function K is defined by: 

K{[o]){A) = [o.A] 

itT([t])(yl) = [nil], if there does not exist an o & [t]. 

— The valuation function tt is defined by: 

’’’(W) = {p \ o : p € T for some o G [t]}. 

It is straightforward to check that Mt is indeed well-defined. Moreover, by 
construction of Mt, an absolute term denotes in Mt its corresponding equiva- 
lence class under the strict mapping 9 which assigns to every o G O its equiva- 
lence class [o]. This is expressed formally by the following lemma. 

Lemma 2. Let s be an assignment that assigns to each variable an object of 
Mt, i.e., an equivalence class of absolute terms. Additionally, let 9 G O ^ O' 
be a strict mapping which assigns to every o € O its corresponding equivalence 
class [o] in Mt. For each t G Tabs let [t]s denote the equivalence class [t] itself, 
in case t ^ Var, and [a;]s = s(a:), otherwise. For each term t G Tabs we then 
have: 

Given the above, we are now in a position to prove the completeness theorem. 

Theorem 2. For all (p G Cq, if the tableau for ip has an open branch then p is 
satisfiable. 

Proof. Let T be an open branch of the tableau for p. We show that for all 
o : Ip G T we have Mt, [o],s ^ ip for the assignment s that is defined by: 
s{x) = [f], where {x = t) G Th{T) and t G Tabs \ Var. Note that the existence of 
such an absolute term follows from the fact that the initial formula p is assumed 
not to contain free variables. The proof proceeds by induction on the length of 
ip. We treat the following characteristic cases. 

— case p. From o : p G T and o G [o] we derive Mt, [o], s |= p. 

— case —>p. From o : —'p G T and the fact that T is open we derive o' : p ^ T 
for all o' G [o]. In other words, Mt, [o], s \= -•p. 




334 



Frank S. de Boer and Rogier M. van Eijk 



— case ti = t 2 - Suppose o : {ti = ^ 2 ) G T. By definition of Th{T) we have 

= ^2 G Th{T). By construction of the model Mt and the definition of 
s we derive From Lemma 2 we subsequently infer Mt,s,9 ^ 

(t° = t^), where 6* G O — >■ O' is a strict mapping which assigns to every 
o G O its corresponding equivalence class [o] in Mt- Finally, from Lemma 1 
we conclude Mt, [o], s \= {ti = ^ 2 )- 

— case -i(ti = t 2 ). Suppose o : -•{ti = ^ 2 ) G T. By definition of Th{T) we have 

“■(^1 = ^ 2 ) G Th(T). Since Th{T) is consistent we have t° = ^ Th{T). 

By construction of the model Mt and the definition of s it thus follows that 
[t°]s ^ [f2]s> from which we derive by Lemma 2 that Mt,s,0 ^ ~'{ti = 
^ 2 ), where 0 G O — >■ O' is a strict mapping which assigns to every o G O 
its corresponding equivalence class [o] in Mt- From Lemma 1 we conclude 
Mt, [o], s \= = 12)- 

— case {A)tp- Suppose o : {A)ip G T- From the construction of the tableau 
we derive that there exists a node o' with o — > 0 ' G T and o' : (p G T - The 
induction hypothesis yields Mt, [o'],s \= (p- The construction of the model 
Mt then yields Mt, [o], s |= {A)p- 

— case 3x=t{p)- Suppose o : G T. From the construction of the tableau 

we derive that also o : x = t, p G T- Applying the induction hypothesis we 
obtain Mt,[o],s \= {x = t) and Mt,[o],s ^ p- From this we conclude 
Mt,[o],s \= 3^^t{'-p)- □ 

Note that from the construction of the model in the completeness theorem 
it follows that the language Cq satisfies the finite model property, i.e., every 
satisfiable formula is satisfiable in a finite model. Moreover, note that the con- 
structed model may contain cycles, which indicates that the language £q does 
not satisfy the tree model property, stating that every satisfiable sentence has 
a model that is a tree of bounded branching [12]. A counterexample is the for- 
mula 3,^^seif{A){x = self), which is only satisfiable in worlds that are A- linked 
to themselves. 

5 Extensions 

In this section, we briefly discuss some interesting decidable extensions of the 
basic navigation logic presented above. 

5.1 Jump Operators 

The logic £1 extends the basic navigation logic £q with jump operators; i.e., we 
generalise the syntax of the navigation operator to {t)p, where t is a term in 7”. 
So, if the index is a variable x, the operator can be used to jump back to the 
state to which x is bound. 

Definition 13. The truth definition M, o,s\= p for the language C\ is the same 
as for Cq except: 

M,o,s 1= {t)p M,o',s ^ p, where o' = |t]M,o,s ^ -L. 
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As an example, consider the object structure M in Figure 2. At the world p, 
the following formula is true: 

{ Author Of)3^^ self {item{l))3y^PubiishedBy{x){item{2)){PuhlishedBy = y) 

which means that person p is the author of two books that are published by the 
same company. 

The tableau construction C\ is similar to that of Cq modulo some minor 
modifications. 

Definition 14. The tableau rules for Li are the same as for Cq except for the 
navigation rule, which is generalised as follows: 

o-.r A o'-.n 

where Ft = {(p\ {f)ip € F} and o' is a fresh label. 

Moreover, it suffices to modify the theory Th{T) of a branch as given in Defini- 
tion 9 as follows. The support set F of absolute literals additionally contains: 

{x = o'\ o^d G T} U 
{T = o' I o^d G T} U 

self 

{o = d\ o^d G T}. 

The soundness and completeness proofs are similar to the proofs for Cq- 



5.2 Navigation Programs 

In the extension C 2 , which is inspired by the dynamic logic of [8], we include 
formulas of the form {II) ip, where IF is a, navigation program that defines a 
particular navigation strategy. 

Definition 15. The navigation language C 2 , consisting of boolean conditions 
b, navigation programs IT and formulas ip, is generated by the following BNF- 
grammar: 



b ::= p I ti=t 2 I -•b \ 61 V 62 

n ::= A I iTi; II2 \ if b then ili else II2 \ while b do II 

p ::=b I -.(/? I piV p2 I ^x=tT \ {FI)p 

To formalise the meaning of a formula in C 2 we first define the meaning of 
navigation programs. 



Definition 16. Given a model M = (O, K, tt) and an assignment s, we have 
the following (standard) denotational semantics which assigns to each program 
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n a strict mapping A4{II) : O — >■ O; 



M{A){o) 

M{ni-,n2){o) 

Ai{\f b then 7Ti else il 2 )(o) 
A^(while b do II){o) 



K{o){A) 

7W(7l2)(7W(iTi)(o)) 

{M{ni){o) ifM,o,s\=b 
\A4{II2 ){o) otherwise 
I A^(while b do IJ){Ai{II){o)) if M,o,s \= b 
\ o otherwise 



The above recursive definition of M can be justified by means of a (standard) 
least fixpoint construction defined in terms of the discrete complete partial order 
(O, C) that is defined by: _L Cl o and o%o' for all distinct objects o and o' . From 
this fixpoint construction it follows that A^(while b do II){o) = _L in case the 
program while b do II does not terminate in o. 

We have the following truth definition. 



Definition 17. The truth definition M, o, s ^ for the language £2 is similar 
to that for Lq except: 



M,o,s\= {n)ip M^o',s\=(p, where o' = M{n){o)^l- 



It is worthwhile to observe that the truth of the formula (while b do II) true 
implies that the program while b do II terminates. In the light of the Halting 
Problem, however, this does not imply that we cannot decide the validity of 
formulas in the language C 2 , because our navigation programs are not Turing 
complete. 

As an example of £ 2 , the formula 



(while -•{y = self) do A)true 



states that the object denoted by y is reachable from the current object by a 
finite chain of A-links. 



Definition 18. The tableau rules for £2 are given by the rules for £q together 
with the following rules (we omit the context Z\J.- 

o : (77i; i72)'P 
o : {ni){Il 2 )ip 



o : (if 6 then IIi else Il 2 )ip o : -•(if b then 7Ti else Il 2 )(p 
o:b,{IIi)(p I o:^b,{Il 2 )ip o : b,^{IIi)(p \ o : ^b,^{Il 2 )(p 



o : (while b do II)ip o : -i(while b do II)(p 

o : -'b, ip I 0 : 6 , (iT)(while b do II)(p o : -•b, -'ip \ o : b, -i(7T)(while b do II)ip 

The resulting tableau method may give rise to non-termination. However, 
in the tableau construction, we can stop applying any further rules to a leaf 
o : £ in case there already exists an ancestor node with the same set of formulas 
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r. With this additional rule the method is guaranteed to terminate, because 
starting from an initial formula, only a finite number of different formulas can 
be generated. 

Additionally, a branch T of a tableau now also closes if one of its leafs o : F 
contains a formula of the form (while b do II)ip. (Note that by definition there 
also exists an ancestor node of the form o' : F.) The new tableau method is 
sound and complete because in case its theory does not contain an inconsistency, 
such a branch T corresponds to a model in which the program while b do 7T 
‘loops’, i.e., (while b do 77)^’ does not hold. For the same reason, a branch T of 
a tableau with a consistent theory and a leaf which contains a formula of the 
form -i(while b do F[)'tp does constitute a model. 

6 Conclusions and Future Research 

In this paper, we have presented multimodal logics for navigation across object 
structures. The starting point of these logics is the modelling of object structures 
at the implementation level as Kripke models that contain a family of determin- 
istic accessibility relations, namely one relation for each pointer attribute. The 
logics cover a variable-binding mechanism that allows the binding of logical vari- 
ables to objects that are reachable by a pointer. In this way, pointer attributes 
can be used in the logic both as first-order terms in equalities and as modal 
operators. The main result of the paper is a tableau construction for deciding 
the validity of formulas in these navigation logics. 

In [I], it is stated that for hybrid languages, i.e., modal logics that include 
mechanisms for naming the worlds of a given Kripke model: “it seems unlikely 
that restricted forms of (label) binding will lead to decidable systems.” However, 
in this paper, we have shown that decidable hybrid languages can be obtained 
by restricting to particular classes of models. This point is also illustrated in [3], 
where decidability of a hybrid language is obtained for the class of strict partial 
orders. In [II], a decision procedure based on a tableau construction is given for 
hybrid logics that do not involve variable-binding mechanisms. Of interest in this 
context would be an extension of our tableau construction to hybrid languages 
that do include variable-binding. 

In the graphical modelling language uml, class diagrams can also be anno- 
tated with so-called constraints, which are formulated in the Object Constraint 
Language, OCL for short [13]. The language OCL is a textual language for the 
description of object structures mainly at the modelling level. In contrast to 
our approach, in OCL, navigation is modelled as a dereferencing operator that is 
applied to first-order terms. For instance, the term t.A denotes the value of the 
pointer attribute A of the object denoted by t. By means of a formalisation of 
navigation in terms of a modal logic, however, we are able to identify decidable 
navigation logics that are still expressive enough to express interesting proper- 
ties of object structures. Future work concerns an extension of our approach to 
the modelling level of class diagrams and the development of tools for computer- 
aided-verification by means of an implementation of the corresponding tableau 
procedure. 
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At the implementation level another interesting line of future work con- 
cerns an application of our decidable navigation logics to the computer-aided- 
verification of the correctness of object-oriented programs. Such an application 
involves the definition of a weakest precondition calculus [4] for our navigation 
logics. 
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Abstract. The ambient calculus is a formalism for describing the mo- 
bility of both software and hardware. The ambient logic is a modal logic 
designed to specify properties of distributed and mobile computations 
programmed in the ambient calculus. In this paper we investigate the 
border between decidable and undecidable cases of model checking mo- 
bile ambients for some fragments of the ambient calculus and the ambient 
logic. 

Recently, Cardelli and Gordon presented a model-checking algorithm for 
a fragment of the calculus (without name restriction and without repli- 
cation) against a fragment of the logic (without composition adjunct) 
and asked the question, whether this algorithm could be extended to 
include either replication in the calculus or composition adjunct in the 
logic. Here we answer this question negatively: it is not possible to extend 
the algorithm, because each of these extensions leads to undecidability of 
the problem. On the other hand, we extend the algorithm to the calculus 
with name restriction and logic with new constructs for reasoning about 
restricted names. 



1 Introduction 

The ambient calculus [6,4,2] is a process calculus for modeling mobile compu- 
tations and mobile devices; one can describe the mobility of both software and 
hardware in this formalism. An ambient is a named cluster of running processes 
and nested sub-ambients. Each computation state has a spatial structure, the 
tree induced by the nesting of ambients. Mobility is abstractly represented by 
re-arrangement of this tree: an ambient may move inside or outside other ambi- 
ents. 

The ambient logic [5] is a modal logic designed to specify properties of dis- 
tributed and mobile computations programmed in the ambient calculus. As well 
as standard temporal modalities for describing the evolution of ambient pro- 
cesses over the time, the logic includes spatial modalities for describing the tree 
structure of processes. In a recent paper, Cardelli and Gordon extend the logic 
with the constructs for describing private names [7]. Other work on the ambi- 
ent logic includes a study of the process equivalence induced by the satisfaction 
relation [11] and the use of spatial modalities to describe the tree structure of 
semistructured databases [1]. 
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The model- checking problem is to decide whether a given object (in our case, 
an ambient process) satisfies (that is, is a model of) a given formula. Cardelli 
and Gordon [5] give a model-checking algorithm for the fragment of the calculus 
in which the processes contain no replications and no dynamic name generation 
against a fragment of the logic in which formulas contain no composition adjunct. 
It was then proved in [8] that model checking of this fragment of the calculus 
against this fragment of the logic is PSPACE-complete. 

Our results. Cardelli and Gordon raised in [5] the question whether their al- 
gorithm for model-checking could be extended to include either replication in 
the calculus or composition adjunct in the logic. Here we answer this question 
negatively: it is not possible to extend the algorithm, because each of these ex- 
tensions leads to undecidability. On the other hand, we show that the restriction 
to public names was not necessary: model checking remains decidable for the 
replication-free fragment with dynamic name generation, even if we extend the 
logic with constructs from [7] for reasoning about restricted names. Moreover, 
this extension does not increase the complexity of the problem: one can obtain 
PSPAGE algorithm by combining the abstract algorithm presented in Section 5 
with the representation of processes proposed in [8]. 

We start by recalling the calculus and the logic in the next section. Then 
we prove the undecidability of the problem for the two mentioned extensions: 
in Section 3 for the case of the calculus with replication and in Section 4 for 
the case of the logic with composition adjunct. Finally, in Section 5 we present 
the model-checking algorithm extended to the case of the calculus with name 
restriction and the logic with constructs for reasoning about these names. 

2 Review of the Ambient Calculus and Logic 

In this section we recall the ambient calculus and logic from [6,5,7]. 



2.1 The Ambient Calculus 

The following table describes the expressions and processes of our calculus. 
Processes and Capabilities: 



::= 


processes M ::= 




capabilities 


0 


inactivity 


n 


name 


M[P] 


ambient 


in M 


can enter M 


P\Q 


composition 


out M 


can exit M 


M.P 


capability action 


open M 


can open M 


{n).P 


input action 


e 


null 


(M) 


output action 


M.M' 


path 


! P 


replication 






{un)P 


name restriction 







I I 



The sets bn{P) and fn{P) of bound and free names of a given process P are 
defined in a usual way keeping in mind that (nn) and (n) are name binders. We 
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identify processes up to renaming of bound names. We write M} for the 

substitution of the expression M for the name n in the process P. 

The semantics of the calculus is given by the relations P = Q and P ^ Q. 
The reduction relation, P ^ Q, defines the evolution of processes over time. 
The structural congruence relation, P = Q, is an auxiliary relation used in the 
definition of reduction. When we define the satisfaction relation of the modal 
logic in the next section, we use an auxiliary relation, the sublocation relation, 
P i Q, which holds when Q is the whole interior of a top-level ambient in P. We 
write — 1 * and J,* for the reflexive and transitive closure of —1 and respectively. 



Structural Congruence P = Q: 



1 

p = p 


(Str Refl) 


{vn){vm)P = (vm)(yi 


un)P 


1 

(Str Res Res) 


P = Q ^ Q = P 


(Str Symm) 


(nn)0 = 0 




(Str Res Zero) 


P = Q,Q = R^P = R 


(Str Trans) 


{vn){P Q) = P [vn)Q if n 0 fn{P) 

(Str Res Par) 


P = Q ^ {vn)P={vn)Q 


(Str Res) 


{vn)(m[P\) = m[(vn 


)P] if n 


yf m 

(Str Res Amb) 


P = Q^ P\R = Q\R 


(Str Par) 


P\0 = P 




(Str Zero Par) 


P = Q^\P=\Q 


(Str Repl) 


P\Q = Q\P 




(Str Par Comm) 


P = Q ^ n[P] = n\Q] 
P = Q^ M.P = M.Q 


(Str Amb) 
(Str Action) 


{P\Q)\R = P\{Q 


1 R) 


(Str Par Assoc) 


P = Q ^ {n).P = (n).Q 


(Str Input) 


! 0 = 0 

\{P\Q) = \P\\Q 




(Str Repl Zero) 
(Str Repl Par) 


e.P = P 


(Str e) 


\P = P\ \P 




(Str Repl Copy) 


{M.M').P = M.M'.P 
1 


(Str .) 


\P=\\P 




(Str Repl Repl) 

1 


Reduction P ^ Q and Sublocation P Q: 







1 

n[in m.P \ Q] \ m[R] m\n[P \ Q] \ 


P] 


1 

(Red In) 


m[n[out m.P | Q] | P] — >• n[P \ Q\\m 


\R] 


(Red Out) 


open n.P \ n[Q] P \ Q 




(Red Open) 


{M) 1 {n).P ^ P{n^M] 




(Red I/O) 


P ^ Q ^ (un)P — >■ (yn)Q 




(Red Res) 


P— >-Q^P|P— >'Q|P 




(Red Par) 


P ^ Q ^ n[P] n\Q] 




(Red Amb) 


P' = P,P ^ Q,Q = Q' ^ P' ^ Q' 




(Red =) 


P = n[Q] \P' ^PiQ 

1 




(Loc) 

1 



When no confusion is possible, we omit the inactive process 0; for instance, 
we shorten openn.O and m[0] as openn and m[], respectively. 



2.2 The Ambient Logic 

We describe the formulas and satisfaction relation of the logic. This is the logic 
defined in [5] extended with the two revelation constructs for handling name 
restriction [7]. 
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Logical Formulas: 

I 1 

rj a name n or a variable x 



,B:~ 


formula 


v[A] 


location 


T 


true 


A@r] 


location adjunct 


^A 


negation 


rj A 


revelation 


A VP 


disjunction 


ACdr] 


revelation adjunct 


0 


void 


OA 


sometime modality 


A 1 B 


composition match 


AA 


somewhere modality 


At>B 


composition adjunct 


3x.A 


existential quantification 



We assume that names and variables belong to two disjoint vocabularies. 
We write A{x-(^m} for the outcome of substituting each free occurrence of the 
variable x in the formula A with the name m. The sets of bound and free variables 
of a given formula are defined in a usual way keeping in mind that 3 is the only 
variable binder. There are no name binders for formulas, so all names occurring 
in a formula are free. We say a formula A is closed if and only if it has no free 
variables (though it may contain free names). 

Intuitively, we interpret closed formulas as follows. The formulas T, ^A, 
and Ay B embed propositional logic. The formulas 0, ri[A\, and A \ B are 
spatial modalities. A process satisfies 0 if it is structurally congruent to the 
inactive process. It satisfies n[A\ if it is structurally congruent to an ambient 
n[P] where P satisfies A. A process P satisfies A \ B ii it can be decomposed 
into two subprocesses, P = Q \ R, where Q satisfies A, and R satisfies B. 
The formula 3x.A is an existential quantification over names. The formulas ()A 
(sometime) and AA (somewhere) quantify over time and space, respectively. A 
process satisfies ()A if it has a temporal successor, that is, a process into which 
it evolves, that satisfies A. A process satisfies A A if it has a spatial successor, 
that is, a sublocation, that satisfies A. A process P satisfies the formula A@n if 
the ambient n[P] satisfies A. A process P satisfies At>B\i for all P', the process 
P I P' guarantees B assuming that P' satisfies A. Finally, we discuss shortly the 
two logical constructs for reasoning about restricted names that were not present 
in [5,8]. Intuitively, a process P satisfies the formula n A (read “reveal n then 
A” ) if it is possible to pull a restricted name from P to the top and rename it n 
and then strip off the restriction to leave a residual process that satisfies A. The 
inverse of revelation is hiding: a process P satisfies A<Z)n (read “hide n then A” ) 
if it is possible to hide n in P and then satisfy A. 

The satisfaction relation P \= A provides the semantics of our logic. 

Satisfaction P \— A (for A Closed): 

I 1 

P 1= T P\= n[A] = 3P'.P = n\P'] h P' \= A 

p 1= = AP \=A) P h= A@n = n[P] \= A 

P \= Ay B ^ P \= AV P ^ B P\=n A ^ 3P'.P = {un)P' A P' |= A 

P|=0 =P = 0 P\= A&n = [vn)P ^ A 

P 1= A I P = 3P', P". P = P' I P"a P h= OA = 3P'.P P' A P' ^ A 

P'[=AaP"|=P P|=AA = 3P'.P^* P' AP' 1= a 

P 1= A>6 = VP'.P' ^A^P\P'\=B 3a;.A = 3m.P |= A{x^m} 

I I 
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We use OA (everytime modality), (everywhere modality) and ^x.A (uni- 
versal quantification) as abbreviations for -i(0~'Al), -■(4>— lAl) and ~^{3x.^A), re- 
spectively. 



3 Calculus with Replication 

In this section we show that model checking for the ambient calculus with repli- 
cation (but still without name restriction, and in fact without communication) 
against the ambient logic (without composition adjunct) is undecidable. We use 
here a, /3 , 7 for words in {a, 6 }*, a for letters in {a, b} and e for the empty word. 
Lower-case strings (possibly with subscripts) like Ci,rii,Wi, starti, wordi, compare 
denote ambient names, while upper-case strings like Concatenate , Compare, 
Wordi denote processes. 

Encoding of PCP. The undecidability proof is done by a reduction of the 
Post correspondence problem (PCP). An instance of the problem is a set of 
pairs of words {(ai,/3i), . . . , (a„,/3„)} over the two-letter alphabet {a,b} (that 
is, ai,Pi G {a, b}*). The question is whether there exists a sequence of numbers 
1 < *07 h, ■ • ■ Ak C: n such that • . . . • = (dig where • denotes word 

concatenation. It is well-known that Post correspondence problem is undecidable 

[10]. 

The idea of the reduction is to construct for a given instance of PCP a process 
P whose reduction simulates all possible concatenations of pairs of words in the 
instance. Then we have to only check if a process representing two equal words 
is reachable. 

The process P is defined as the parallel composition 

P = starti[] I start 2 \\ \ Wordi{e) \ Word 2 {e) \ Concatenate \ Compare, 

where starti and start 2 are two different ambient names (we write ambient 
names with lower-case letters and (meta-)names of processes in upper case) and 
Wordi{w) is a process representing the word w (we start with the empty word). 
Before we give the precise definition of the processes Wordi{w), Concatenate, 
Compare, we briefly describe the intuition behind them. Concatenate is a pro- 
cess responsible for concatenating pairs of words from the given instance of PCP: 
it chooses nondeterministically a pair (oi, /3j) and rewrites Wordi{a) \ Word 2 {ld) 
to Word\{ai ■ a) \ Word 2 {fdi ■ /?); this is done again and again. At some nonde- 
terministically chosen point of time the process Compare activates — it stops 
Concatenate and starts comparing the two words represented by Wordi and 
Word 2 by nondeterministically choosing the letter a or b and trying to delete it 
simultaneously from both words; this is repeated until both words are empty or 
they start with a different letter. Clearly, the instance of PCP has a solution if 
and only if there exists a (nonempty) execution of the process that ends with 
the representation of two empty words. 
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Concatenate = \ {open start i. open start 2 -operL pair) \ 

\ pair[Concatenatei{ai) \ Concatenate2{l3i)] \ 

••■I 

\ pair[Concatenatei{an) \ Concatenate 2 {Pn)] 

The two ambients start i\\ and start 2 [] are used for synchronization — the only 
possible reduction is to open start i [] and then start 2 [] ; after this the two ambients 
disappear and they will appear again only after Concatenate i and Concatenate 2 
finish their jobs. In this way we avoid processing two different pairs at the same 
time (and thus confusing different pairs during computation). 

Thus, in every iteration of Concatenate, we rewrite in several steps a process 
of the form storti[] | start 2 \\ \ Word\{a) \ Word2{(3) \ Concatenate \ Compare to 

Word\{a) \ Word 2 {ld)\ Concatenate\{a') \ Concatenate 2 {P') 

I Concatenate \ Compare 

for some words a, /3 and some pair (o', f3') from the instance of PCP. Intuitively, 
two words 7 = iJi . . . (Tfc and = a[ . . . cr(., in {a, b}* are represented by ambients 
ai[u 2 [- .. (Tfc []]... ] and cr([cr 2 [- ■ • []]■•■] the process Concatenate i{'-^') leads 

the process Wordi)-^) inside [] and generates an ambient starti\\ so that 

Wordi{'-^) I Concatenate i{’^') — >■* Wordi{'-^' ■ | starti\\. 

The details are quite technical and are presented in the appendix. Then the 
initial process rewrites to 

startiW I start 2 \\ \ Word\{a' ■ a) \ Word 2 {P' ■ (3) \ Concatenate \ Compare 

The process Compare works in a similar way. 

Compare = compare\\ \ Initialize. {\ {open compare. Consume{a)) \ 

! (open compare. Consume{b))) 

The initialization essentially opens start \ and start 2 so that Concatenate is 
blocked. The process Consume{a) replaces the representation of the two words 
a,/3 by a', [3' if a = aoi' and (3 = a/3' by simply opening the leading ambi- 
ents a[. . . ] in the representation of both words, similarly Consume{b) opens the 
leading &[...] if both words start with b. The ambient compare)] is used for syn- 
chronization to avoid deleting different letters from the two words. The details 
are presented in the appendix. 

We have the following theorem. 

Theorem 3.1. The model checking problem for the ambient calculus with repli- 
cation against the ambient logic is undecidahle. 

Proof. Let P be the process defined above (note that the definition of P depends 
on the instance of PCP). We have already seen that the instance has a solution 
if and only if there exists an execution of P starting with the concatenation of 
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at least one pair and ending in a configuration representing the pair of empty 
words. This can be expressed by the formula 

A = (}{nonempty (wi) A (} {empty (wi) A empty{w2))) 



where 



nonempty{wi) = ■0'tCi[(a[T] V 6[T]) | T] 
empty{wi) = -^nonempty {wi) . 

Here, Wi is an ambient name used in the encoding of the process Wordi{j) (see 
the appendix for details), and the formula a[T]V6[T] is matched by (the encoding 
of) the first letter in the word 7. Then P \= Aii and only if the instance of PCP 
has a solution. □ 

It should be noticed that our proof of undecidability of model-checking the 
ambient calculus with replication but without private names implies that reacha- 
bility via reduction for ambient processes with public names and with replication 
is undecidable. 

4 Logic with Composition Adjunct 

We investigate in this section the problem of model checking ambients against 
formulas that may contain composition adjunct. Let us first show that the model 
checking problem of formulas with composition adjunct subsumes the satisfia- 
bility problem of formulas without composition adjunct. 

Proposition 4.1. The process 0 satisfies the formula -■(T t> ->A) if and only if 
the formula A is satisfiable. 

Proof. By definition, 0 if and only if for all processes P that satisfy T, 

the process P \ 0 satisfies -•A. Since all processes satisfy T and P | 0 is equivalent 
to P, by the definition of satisfaction for negation we have that 0 |= ^(T > ^A) 
if and only if there exists P that satisfies A. □ 

We show now that the satisfiability problem for ambient formulas (even with- 
out composition adjunct) is an undecidable problem Thus, it implies 

Theorem 4.1. The model checking problem of ambient processes without repli- 
cation and name restriction against formulas with composition adjunct is unde- 
cidable. 

Let us consider the set T of first-order formulas defined over a countable set 
of variables x,y,z,. . . and some relational symbols {i?i, . . . , Rk}, each of those 
symbols having strictly positive arity. The set of formulas T is the least set such 

^ Actually we consider a very small fragment of the logic, in particular without tem- 
poral modalities. 
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that (i) for any Ri with arity I, T contains Ri{x\, . . . , xi), and (ii) for all (p and 
p' in iF, ip /\ip' , and 3xp belong to T . 

Formulas from T are interpreted over structures; a structure S over some 
domain T> is simply a set of objects of the form ... ,a/) where Ri is an 

Fary relational symbol and ai, . . . ,ai are elements of T>. We say that a structure 
S is finite whenever its domain T> is finite. 

A formula is said to be closed if it has no free variables. We assume wlog. 
that in formulas bound variables are pairwise distinct. For a formula p and a 
structure S with domain T>, a valuation cr is a mapping from the free variables 
oi p to T>. A structure S' is a model of a formula p under a valuation a (written 
S^a'^p) if 



— Ri{xi, . . . ,xi)a G S for (/? = Ri{xi, . . . ,xi), 

— S,a \= p' and S, cr |= p" for p = p' A p", 

— S,a ^ p' for p = -'p' , 

— there exists a in T> such that S, a{a;<— a} |= p' for p = 3xp'. 



Theorem 4.2 (Trakhtenbrot [12]). Given a closed first-order formula p, it 
is undecidahle to know whether p admits a finite model. 

With a formula p from T we associate a formula |i^] from the ambient logic 
inductively defined as follows: 

- |i?i(xi,... ,x;)l =r*[xi[x2[. ..[Xi[0]]...]]] I T, 

- If A p'\ = |(/?1 A |(^'l 

- hF] = -'M, 

- |3x(p] = 3x((d[x[0]] I T) A |(/?]). 

Note that we identify first-order variables in formulas from T with variables 
of the ambient logic. Therefore, free variables of p and |(^] coincide. 

The key idea of this encoding is to consider the parallel operator of the 
ambient calculus as a (multi-)set constructor. Then, the finite domain T> as well 
as the structure S are encoded in a straightforward way using simply ambient 
name d for elements from T> and ambient names ri for the relational symbols Ri 
in S. 

Lemma 4.1. A closed formula p from T admits a finite model iff there exists 
an ambient process P without replication and without name restriction such that 

P^M- 

The proof of Lemma 4.1 can be found in the appendix. It is straightforward 
that Lemma 4.1 and Theorem 4.2 yield the undecidability of the satisfiability 
problem of the logic without composition adjunct over ambient processes without 
replication and name restriction. Hence, Theorem 4.1 follows. 
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5 Calculus with Name Restriction 

In this section we show that the model-checking algorithm from [5] can be ex- 
tended to the calculus with name restriction. Moreover, the additional logical 
operators introduced in [7] do not influence the decidability. We recall that, as 
in [5], the logic does not contain the composition adjunct and the calculus does 
not contain replication. 

First, we fix the representation of the processes: Using a-renaming of re- 
stricted names and the rules (Str Res Par) and (Str Res Amb) of the congruence 
relation, we group together all name-restriction operators by transforming ev- 
ery process to one of the form . . . (i'nk)P where every occurrence of name 

restriction is guarded by an action, that is every name restriction occurring in 
P occurs in a subprocess of the form M.P' or {n).P' with M ^ e. Formally, a 
process is guarded if it is of the form 

in M.P, out M.P, open M.P, n.P, {n).P, or (M) 

for some process P and expression M. Note that neither a guarded process nor 
any of its subprocesses can be reduced (a guarded process can be reduced only if 
it occurs in a parallel composition with other processes) and that the sublocation 
relation does not look inside a guarded process. We separate bounded names 
from the unguarded part of a process using the following function separate. 
Recall that we assume that all bounded names are renamed apart so that they 
are different. 

Separating Bounded Names from a Process 

I 1 

separate (P) = (0,P) if P is guarded 

separate{{un)P) = {N U {n},P') if separate(P) = {N,P') 
separate{n[P]) = {N,n[P']) if separate(P) = {N,P') 

separate{P \ Q) = {N U N' , P' \ Q') if separate(P) = {N, P') and 

separateiff) = {N',Q') 

I I 

The definition of the — >■ and j, relations extends in a straightforward way to 
the representation with bounded names separated from the process. We say that 
(TV, P) — >• {N', P') if there exists P" such that P — >■ P", separate{P”) = {N", P') 
and N' = N \J N" . Similarly, {N,P) j, {N,P') if there exist n,P" such that 
P = n[P'] I P" and n ^ N. As usually, — >■* and j,* are reflexive and transitive 
closures of — >■ and I respectively. We define 

Reachable{N,P) = {{N',P') \ {N,P) {N',P')} 

Sublocations (N,P) = {{N,P') \ {N,P) {N,P')} 

Example 5.1. Consider the processes Pi = {m).{vn){m[±rL n] \ n[]) | (a), P 2 = 
{i^n){m).{m[in n] \ n[]) | (a) and the formulas Ai = (){n n[a[T]]) and A 2 = 
n (<}n[a[T]]). 
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The process P\ is guarded, so separate(Pi) = (0,Pi); the process P 2 is not 
guarded and separate{P 2 ) = ({n}, (m).(m[in n] | n[]) | (a)). In both cases, that 
is for i = 1,2, using the reduction (Red I/O) followed by (Red In), we reduce 
separate(Pi) — >■ ({n},a[inn] | n[]) — >■ ({n}, | n[a[]]). 

The reader can check that Pi \= Ai and P 2 \= A 2 - Moreover, P 2 \= Ai, but 

Pi ^^2. 

Now we are ready to define our model-checking algorithm. It is an extension 
of the algorithms from [5,8] to the calculus and logic with name restriction. We 
write U for disjoint union, that is, A = BUC iiA = BUCABr\C = 0. We 
recall the assumption that all bound names in the process are renamed apart 
so that they are all different from each other and different from all free names 
occurring in the process and the formula. 

Model-Checking Algorithm 

I 1 

Check {N,P,T) = T 

Check{N, P, ^A) = ^ Check {N, P, A) 

Check{N, P, A V R) = Check{N, P, A) V Check {N, P, B) 

Check{N,P,A I B) = Viviuiv^^iv Check{Ni,Pi,A) A Check{N 2 ,P 2 ,B)A 

fn(Pi) nN 2 = 0 A fn{P 2 ) n W = 0 
Check{N, P, n[A]) = P = n[Q] An^N A Check{N, Q, A) 

Check{N,P,A@n) = Check{N,n[P],A) 

Check{N, P,n A) = Vmev Check{N — {m}, P{m-(—n}, A) 

V(n 0 fn{P) A Check {N, P, A)) 

Check{N, P, A0n) = Check{N U {n}, P, A) 

Check{N,P,OA) ^ \/^r,',P')eHeacHaMe(N,P) Chcck[N' , P' , A) 

Check(N,P,-^A) = \J (N,p')^Subiocations(N,p) Check{N, P ,A) 

Check{N, P, 3*. A) = let no ^ A U fn{P) U bn{P) be a fresh name in 
Vne/n(iv,p)u/n(^) Check{N, P, A{x^n}) 

V Check{N, P, A{a:<— no}) 

I I 

The correctness of the algorithm (Theorem 5.1) is based on the following 
lemmas and propositions. 

Proposition 5.1. 

(1) {pn)P = 0 if and only if P = 0 . 

(2) If n and m are different names, then {vn)P = m[Q] if and only if there 
exists a process R such that P = m[R] and Q = {vn)R. 

(3) {vn)P = Q \ Q' if and only if there exist processes R, R' such that either 
Q = {vn)R and Q' = R' and n ^ fn{Q') or Q = R and Q' = {vn)R' and 
n ^ fn{Q). 

Sketch of proof . The “if” implications follow from (Str Res Zero), (Str Res Amb) 
and (Str Res Par) congruence rules. The first two of the equivalences above 
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are stated as Inversion Lemmas (Lemmas 2-2) in [7] with a reference to [9] for 
a proof. However, the proof from [9] cannot be applied directly, since spatial 
congruence from [9] is not the same as structural congruence. In particular, it 
does not distinguish between the processes P\ and P 2 from Example 5.1. On the 
other hand, the methods of [9] can be easily extended to the case of structural 
congruence. 

The third equivalence is a stronger version of the third Inversion Lemma (the 
Inversion Lemma does not mention the n ^ fn{Q) condition), again proved in 
the case of spatial congruence in [9]. Again, the same methods can be used to 
show our stronger version in the case of structural congruence (in the general 
case of processes with replication the proof is not very easy, but in the absence 
of replication, as we have it here, it is enough to use the Inversion Lemma 
together with the observation that equivalent processes have the same numbers 
of occurrences of free names) . □ 

Lemma 5.1. If n ^ fn{P) then {i'n)P = P. 

Proof. By the rules (Str Res) and (Str Zero Par), {vn)P is equivalent to {un){P \ 
0), which by (Str Res Par), (Str Res Zero) and (Str Zero Par) is equivalent to 
P. □ 

Proposition 5.2. Consider any process P and a closed >-free formula A. Let 
fn{P) U fn{A) = {ni, . . . , Uk}, and suppose hq ^ {rii, . . . , Uk}- Then P ^ 3x.A 
if and only if P \= A{x ^ Ui} for some i G {0, . . . , k}. 

The proof follows the lines of the proof of Proposition 4.11 in [3]. □ 

Lemma 5.2. For all processes P,P' 

(1) P f P' if and only if separate{P) separate(P') 

(2) P ^ P' if and only if separate(P) — >■ separate(P') 

(3) the sets Reachable{separate{P)) and Sublocations {separate(P)) are finite and 
effectively computable. 

Sketch of proof. The first two equivalences follow from Proposition 5.1 and the 
definitions of f and — >■ relations. The third one follows from the finiteness of 
the analogous sets for the replication-free fragment of the ambient calculus 
with public names [5,8] and a simple observation that P f P' and P ^ P' 
imply public{P) public{P') and public{P) — >■ public{P'), respectively, where 
public{P) is the process obtained from P by removing all n quantifiers. □ 

Theorem 5.1. For all replication-free processes P and closed t>-free formulas 
A, we have P A if and only if Check{separate{P) , A) = T. 

Sketch of proof. The proof goes by induction on the formula A. In the cases 
of T, -tA, AV B, A@n, A0n it follows directly from the definition of the 
satisfaction relation (the side condition no ^ N U fn{P) in the case of A0n 
reflects only our convention that all bounded names are renamed apart). In the 
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case of 0 and n\A\ it follows from Proposition 5.1(1) and (2), in the case of 
A I B from Proposition 5.1(3) by induction on the number of names in N. The 
cases of and 0^ follow from Lemma 5.2 and the definitions of Reachable 
and Suhlocations; 3x.A from Proposition 5.2. Finally, the case of n ^ reflects 
the two possibilities that either n is one of the bounded names occurring in the 
process or it does not occur there (in the latter case we appeal to Lemma 5.1). 

□ 

Theorem 5.2. The model- checking problem for replication-free processes 
against >-free ambient logic is decidable. Moreover, it is PSPACE-complete. 

Sketch of proof. Decidability follows from Theorem 5.1. One obtains the 
PSPACE upper bound by combining the above algorithm with the polynomial- 
size representation of processes from [8] and implementing disjunction in poly- 
nomial space, as it is done in [8] . The PSPACE lower bound is proved in [8] . □ 



6 Conclusion 

We investigate in this paper borders of the decidability for model-checking mobile 
ambient against the ambient logic. We have started from the fragments of mo- 
bile calculus without name restriction and without replication against the logic 
without composition adjunct for which decidability of model-checking has been 
showed in [5]. We have showed that adding either replication in the calculus or 
composition adjunct in the logic leads to undecidability for the model-checking 
problem. On the other hand, we have considered the extension of the calculus 
with private names and the adequate operators in the logic to manipulate those 
names. We have proved this extension to preserve decidability of model-checking 
as well as the complexity of the original fragments. 



A Encoding of PCP: 

Concatenation and Comparison of Words 

A.l Concatenation 

Here we show how to rewrite Wordi{'^) \ Concatenate to Wordi{')' ■ 7) | 
starti\\. For this, we need precise definition of Wordi and Concatenatci. For 
i = 1,2 we introduce fresh ambient names wordi, Ci,ni,Vi,Wi; similarly, we in- 
troduce fresh names a, b corresponding to the two letters of the alphabet. Let 
7 = (Ti . . . CTfe and 7' = . . . a[., be two words in {a, b}*. We define 

Word i{'j) = word i[\ open Ci \ 

Wi[openni \ Stringfy)]] 

Concatenate i{j') = Ci[±n wordi. Mvlni{-y') \ String' fj', Continuci)] 
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where 



String{ai ...ak)= cti[ct 2[. . . CTfc[] . . .]] 

String' {a[ ...a'f.,,P) = sjin Wi-in Wj | cr'J . . . a'f.[P] . . .]] 

Mvlni{a'i . . . cr'f.) = rii[in Wi.in s^.in cr^ ... in ct^] 

MvOut{a'i . . . a'k) = out cr^ . . . out a'l 

Continuci = open Wi.VilMvOuti^') .Tinuci] 

Tinuci = inruj I rui[openni | opens. out Vi-Nuci] 

NuCi = open Vj. start [out Wi.out wordi]. 

Then Wordi{'-^) \ Concatenatei{^') reduces by moving the ambient Ci[. . .] 
inside wordi[. . . ] and opening it to 

wordi^. openci | Mvlnii^j') \ String' , ContinuCi) 

Wi[openni | String{j)]], 

the ambient ni[. . .] goes inside gets opened there 

wordi^. open Ci | String'^"/', Continuei) 

tcjin Si. in a'^ ... In a'f. \ String{'^)]], 

Wi[. . .] goes inside String ' {. . . ) 

wordi [! open Ci | 

String' ,{wi[String{'-^)] \ Continuei))], 

ContinuCi opens Wi and Vi moves out of 7' 

wordi [! open Ci | 

String' (j'w,0) \ Vi[Tinuei\], 

Si[. . .] goes inside Vi, then inside Wj and gets opened there 
wordi [! open Ci I 

Wi[inwi I Wi[openni \ ont Vi.NuCi \ Stringi^j'^)]]], 

Wi gets out of Vi and Vi gets into Wi 
wordi [! open Ci | 

Wi[openn* | Wi[] | NuCi \ String (j'-f)]], 

NuCi opens Vi] starti goes out of Wi and out of wordi 

Wordi{"f'^) I startiW 

which is the desired process. Note that since guarded processes cannot be re- 
duced, this was the only possible execution of the process lTordi(7) | 
Concatenatci (7') . 
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A. 2 Comparing the Words 

First we define the two missing processes. 

Initialize = open starti. open start2-open wordi. open word.2 
Consume{a) = ni [in wi. open cr. (open ni | Nsume{a))] 

where 

Nsume{a) = ri2 [out rui. in W2- open ct. (open ri2 | compare [out W2])]. 

Then 



starti[] I start2\\ \ Wordi{a) \ Word 2 {( 3 ) \ Compare 



reduces to 

! open Cl | ! open C2 | 

r<;i[openni | String{a)] \ W2[openn2 \ String{P)\ \ 

compareW \ \ {open compare. Consume (a)) \ I {open compare. Consume {b))). 

The two processes ! open Ci remain inactive, since the names Ci will never occur 
again. The only possibility of executing the process is to choose one of the two 
subprocesses consuming a or b; each of them opens compare, so the desired 
property now is that 

Wi[openni | String{aa)] \ m2[openn2 | String{a! 3 )] \ Consume{a) 
reduces to 

wi[openni | String{a)] \ W2[openn2 | String{j 3 )] \ compare]^. 

This can be easily checked by the reader: The process Consume{a) is an ambi- 
ent named ni, it goes inside wi, gets opened there, opens a thus deleting the 
leading letter from au, leaves the capability open ni for the next iteration, and 
as Nsume{a) goes out of Wi; then it repeats the same thing with W2 and leaves 
the ambient compare\\ at the top level. Note that if the two words u and v start 
with two different letters a and b then the process wi[openni | String{a)] \ 
W2[openn2 \ String{/ 3 )] \ Consume{a) deadlocks after reaching a configuration 
where it tries to open a but there is no ambient named a at the respective place. 
If this happens, no further reduction of the whole process is possible. 

B Satisfiability of the Ambient Logic 

We give here the proof of Lemma 4 . 1 . We consider the relation '^proc between 
finite structures and ambient processes without replication and name restriction. 
For a process P and a structure S whose domain is U, we have S '^proc P ib 
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— there exists P' such that P = d[a[0]] | P' iff a belongs to T>, 

— whenever oi , . . . ,ai belong to T>, there exists P" such that P is structurally 
congruent to D[ai[a 2 [. . . [o/[0]] ...]]] | P" iff Ri{ai , ... ,o/) belongs to S. 

We denote '^struct the symmetric relation of ^proc- Notice that '^proc 
o '^Struct is the identity relation over structures and '^struct ° '^Proc simply 
contains the identity relation. 

We prove the following proposition which implies Lemma 4.1 in case where 
the formula ip is closed. 

Proposition B.l. Let ip he a formula from T . Then, 

(i) let S be a finite structure over a domain T> and a he a valuation for the free 
variables of ip. If S,a \= tp and S ^proc P then P ^ \ip\a, 

(ii) let P be an ambient process without replication and name restriction and a 
he a mapping from variables of ip to names. If P \= \ip\a and P '^struct S 
then S,a \= ip. 

Proof. The proof goes by induction over the structure of ip. 

— ioT ip = Ri{xi, . . . ,xi): 

Case (i): S,a |= Ri{x\,... ,xi). Therefore, for a equal to {xi^oi,... , 
xi^ai}, Ri{ai , ... ,ai) belongs to S. Therefore, by definition of S ^proc Pj 
P is structurally congruent to ri[ai[. . . [o/[0]] . . .]] | P' for some P'. So, P is 
a model of {ri[xi[. . . [x;[0]] . . . ]] | T)a, that is P |= \Ri{x \, . . . , x/)]a. 

Case {ii)\ P |= {Ri{xi,... ,a;;)]a. Therefore, for a= {xi^oi,... ,xi-i—ai}, 
P h D [oi [. . . [a/ [0]] . . . ]] I T. Hence, by definition of the satisfaction relation, 
there exists P' such that P = ri[ai[. . . [o/[0]] . . .]] | P'. Since P '^struct S, 
we have that Oi, . . . , a; belong to T> and Ri{ai,. . . , a;) belongs to S. Thus, 
5,a ^ R^{xl,. . . ,xi). 

— for if = ip' A ip": 

Case (i): as 5, a ^ (p, 5, a |= if' and 5, a ^ ip" . So, by induction hypothesis, 
P 1= ip' a and P \= p>" a. Thus, P \= ip. 

Case {ii): dual from the previous case. 

— for ip = -<ip': 

Case (i): 5, a ^ -u/?'. So, S,a'^ ip' . Hence, by induction hypothesis for Case 
{ii), either P Y= \ip'\a or P '/^struct S- Furthermore, we know by assumption 
that S '^proc P, and so, P '^struct S- Hence, P ^ \if'\oi holds. Therefore, 
P h “■(bla)- Finally, P h 

Case {ii): P ^ So, P ^ Hence, by induction hypothesis for 

Case (i), either S,a ^ ip' or S '/^proc P- As by assumption, P ^struct S, 
we have S '^proc P- So, S,aY= t' holds. Hence, 5, a ^ ~'T'- 
~ ip = 3xip': 

Case (i): 5, a ^ 3xip' . By definition, there exists a GT> such that S, a{x-<^a} 
1= if'. By assumption S '^proc P, so there exists P' such that P = d[a[0]] | 
P' . Moreover, by induction hypothesis, P |= a}. Hence, P \= 

(d[a[0]] I T) A a}). Hence, P |= ((d[a:[0]] | T) A |(^'])a{a;^a}. 

So, P h 3x.{{d[x[0]] I T) A lip'Da. 
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Case (ii): P ^ that is by definition P ^ (3a;.((ci[x[0]] | T) A |(p']))a. 

Therefore, by definition of satisfiability, there exists a name a such that 
P 1= ((d[x[0]] I T) A \‘p'\)a{x-^a}. This implies that 
• there exists P' such that P = d[a[0]] | P', 

As P '^Struct S, the first point implies that a £T>. This latter together with 
the second point and the induction hypothesis implies that 5, a{x^a} ^ tp'. 
So, 5, a 1= 3x(p' . 
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of the Biichi-Elgot-Trakhtenbrot Theorem 
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Abstract. We consider the power of nondeterministic finite automata 
with generalized acceptance criteria and the corresponding logics. In 
particular, we examine the expressive power of monadic second-order 
logic enriched with monadic second-order generalized quantifiers for al- 
gebraic word-problems. Extending a well-known result by Biichi, Elgot, 
and Trakhtenbrot, we show that considering monoidal quantifiers, the 
obtained logic captures the class of regular languages. We also consider 
monadic second-order groupoidal quantifiers and show that these are 
powerful enough to define every language in LOGCFL. 



1 Introduction 

Nondeterministic finite automata with generalized acceptance criteria were in- 
troduced in [PVOl]. Usually, an NFA M is said to accept its input word w if 
it has at least one accepting computation on w, or, in other words, if in the 
computation tree of M{w) there is at least one accepting path. One might ask 
what class of languages one obtains when an input is defined to be accepted if 
another condition holds, e.g., the number of accepting paths is divisible by some 
prime number p. Even more generally, let us suppose that every path in the 
computation tree produces an output symbol (which can be 0, 1 or something 
else), and say that the leaf string of M on ru is the sequence of these symbols over 
all paths read from left to right (in an order defined formally below in Sect. 2). 
A generalized acceptance criterion in the sense of [PVOl] now is a leaf language 
A, i.e., a set of leafstrings. Automaton M with leaf language A by definition 
accepts an input w if the leafstring of M {w) is an element of A. Clearly, the leaf 
language for usual nondeterministic acceptance is the language of all binary 
words with at least one occurrence of the letter “1”, while that for modulo-p 
acceptance is the language Lmod p of all words with a number of “l”s that is 
a multiple of p. Leaf languages drawn from various complexity and formal lan- 
guage classes were examined in [PVOl], and the power of NFAs using these to 
define acceptance was clarified. 

In this paper, we address the question, to which logical framework finite 
automata with leaf languages correspond. We show that a suitable way to 
characterize NFAs with leaf languages in a logical way is to consider monadic 
second-order logic enhanced with monadic second-order Lindstrom quantifiers 
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(a.k.a. generalized quantifiers, see, e.g., [EF95, Chap. 10.1]). We prove the fol- 
lowing general theorem: The languages accepted by finite automata with leaf 
language A are exactly those definable by formulas with one second-order Lind- 
strom quantifier given by A and no further second-order quantifiers. For example, 
the above condition “divisible by p” corresponds to a monadic modular counting 
quantifier. 

Our result gives a comparison between automata and logic which we hope 
will prove useful in many contexts. Here, we apply our general theorem to obtain 
consequences in two directions. 

First we consider monadic monoidal quantifiers. These are defined by monoid 
word-problems, i.e., regular languages. Thus, by our general theorem, these cor- 
respond to regular leaf languages. Using a result of Peichl and Vollmer [PVOl] 
about the power of finite automata with regular leaf languages, we conclude 
that formulas with monadic second-order monoidal quantifiers cannot define 
non-regular languages. 

Second, we consider monadic groupoidal quantifiers, that is, quantifiers given 
by groupoid word-problems. (A groupoid is a finite multiplication table with an 
identity, i.e., informally, a monoid without the associativity requirement.) Such 
word-problems are context-free languages; hence, by the above, groupoid quanti- 
fiers correspond to context-free leaf languages. Using a result of Lautemann et al. 
[LMSVOl] giving a model-theoretic characterization of LOGCFL, we conclude 
that finite automata with context-free leaf language can accept every language in 
LOGCFL (the class of languages logspace-reducible to context-free languages; it 
is known that these are exactly those languages accepted by auxiliary pushdown- 
automata operating simultaneously in logarithmic space and polynomial time 
[Coo71, Sud78j). Hence, in this case the situation is different from the monoidal 
case: There, “regular quantifiers” could not define non-regular languages, while 
now “context-free quantifiers” can define a strict superclass of CFL. 

2 Finite Automata and Leaf Languages 

In this section we will define finite automata with generalized acceptance crite- 
rion, as introduced in [PVOl]. 

The basic model we use is that of nondeterministic finite automata. On an 
input word w, such a device defines a tree of possible computations. We want 
to consider this tree, but with a natural order on the leaves. Therefore we make 
the following definition: 

A finite leaf automaton is a tuple M = {Q, S, S, s, F, (3) where Q is the finite 
set of states, A is an alphabet, the input alphabet, S: Q x E — >■ Q+ is the 
transition function, s € Q is the initial state, F is an alphabet, the leaf alphabet, 
and (3: Q ^ F is a, function that associates a state q with its value f3{q). The 
sequence 6{q, a), for g G Q and a G E, contains all possible successor states of M 
when reading letter a while in state q, and the order of letters in that sequence 
defines a total order on these successor states. This definition allows the same 
state to appear more than once as a successor in 6{q,a). 
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Let M be as above. The computation tree Tm{w) of M on input tu is a 
labeled directed rooted tree defined as follows: 

— The root of Tm{w) is labeled (s,w). 

— Let u be a node in Tm{w) labeled by (q,x), where x ^ e (the empty word), 

X = ay for a € S, y € S*. Let S{q, a) = q\q 2 ■ ■ ■ qk- Then v has k children in 

Tm{w), and these are labeled by (qi,y), (q 2 ,y), ■ ■ ■ , (qk,y) in this order. 

If we look at the tree Tm{w) and attach the symbol P{q) to a leaf in this 
tree with label (q,e), then leafstring^(w) is defined to be the string of symbols 
attached to the leaves, read from left to right in the order induced by S. 

Definition 1. For A C F*, the class Leaf^"^(A) consists of all languages B C 
S* , for which there is a leaf automaton M as just defined, with input alphabet 
S and leaf alphabet F such that for ell w € S* , w € B iS leafstring'^ (u;) G A. 

The following result from [PVOl] about the power of regular leaf languages 
for finite automata will be central for one of our results below: 

Proposition 2. Leaf (REG) = REG. 

3 The Logical Framework 

We follow standard notation for monadic second-order logic with linear order, 
see, e.g., [Str94]. We restrict our attention to string signatures, i.e., signatures 
of the form (Pai, • ■ • yPas)j where all the predicates Pa^ are unary, and in every 
structure A, A \= PaXj) iff the jth symbol in the input is the letter a*. Such 
structures are thus words over the alphabet {oi,...,as}; first-order variables 
range over positions within such a word, i.e., from 1 to the word length n; second- 
order variables range over subsets of {1, . . . , n}. The logic’s linear order symbol 
refers to numerical order on {!,... ,n}. For technical reasons to be motivated 
shortly, we also assume that every alphabet has a built-in linear order, and we 
write alphabets as sequences of symbols to indicate that order, e.g., in the above 
case we write (oi, ...,««). 

Our basic formulas are built from first- and second-order variables in the 
usual way, using the Boolean connectives {A, V, -•}, the relevant predicates Pa^ 
together with {=,<}, the constants min and max, the first- and second-order 
quantifiers {3,V}, and parentheses. For a formula {p, denotes the language 
defined by tp, i.e., the set of all models of that is: L^p is a set of words. We use 
= to name formulas, e.g.: p = 3xPi{x). 

SOM is the class of all languages definable using formulas as just described. 
(The letters SOM stand for second order monadic logic; in the literature, this 
logic is sometimes denoted by MSO.) FO is the subclass of SOM restricted to 
languages definable by first-order formulas. It is known [MP7I] that FO is equal 
to the class of star-free regular languages. In this paper we are mainly interested 
in the following earlier result (see [BE58, Biic62, Tra61]): 
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Proposition 3 (Biichi-Elgot-Trakhtenbrot Theorem). The class SOM is 
equal to the class REG of regular languages. 

Next, we extend the logical language allowing generalized quantifiers. 

Definition 4. Consider a language L over an alphabet S = (oi, 02 , . . . , Og). 
Such a language gives rise to a Lindstrom quantifier Ql, that may be applied to 
any sequence of s — 1 formulas as follows: 

Let a; be a ft-tuple of variables (each of which ranges from 1 to the “input 
length” n, as we have seen). We assume the lexical ordering on {1, 2, . . . , n}^, 
and we write < • • • < ^ for the sequence of potential values 

taken on by x. The fc-ary Lindstrom quantifier Ql binding x takes a meaning 
if s — 1 formulas, each having as free variables the variables in x (and possibly 
others), are available. Let ipi(x), ip 2 (x), Ts-i(x) be these s — 1 formulas. 
Then Qi,x\i.pi{fi:),q) 2 {x), ■ ■ ■ holds on a string w = W\---Wn, iff the 

word of length n* whose ith letter, 1 < i < n*, is 

01 if ru 1= (pi(ai^*^), 

02 if ru 1= -'V3i(x^*^) A if2{x^''^), 

Og if w 1= -11^1 (x^*^) A -i(^2(x’-*^) A • • • A -i(^g_i(x*^*^), 
belongs to L. We denote this word by 

As an example, take s = 2 and consider L3 =def 0*1(0 + 1)*; then is the 
usual first-order existential quantifier. Similarly, the universal quantifier can be 
expressed using the language Ly =def 1* • The quantifiers Q ^ for p > 1 are 
known as modular counting quantifiers [Str94] . 

The Lindstrom quantifiers of Def. 4 are precisely what has been referred to as 
“Lindstrom quantifiers on strings” [BV98]. The original more general definition 
[Lin66] uses transformations to arbitrary structures, not necessarily of string 
signature. However, in the context of this paper, only reductions to (mostly 
regular or context-free) languages or algebraic word-problems will be important, 
and hence the above definition seems to be the most natural here. 

Fix a finite monoid M. Each SQM defines an M- word-problem, i.e., a 
language W(S', M) composed of all words w, over the alphabet M, that “multiply 
out” to an element of S. 

The following definition is due to Barrington, Immerman, and Straubing 
[BIS90]. 

Definition 5. A monoidal quantifier is a Lindstrom quantifier Ql where L is 
a word-problem of some finite monoid. 

It is well-known that any regular language is a homomorphic pre-image of 
(i.e., reduces via a homomorphism to) a word-problem over some monoid, and, 
vice-versa, every word-problem of a finite monoid is regular. Hence, a monoidal 
quantifier is nothing other than a Lindstrom quantifier Q l where L is a regular 
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language. Coming back for a moment to the classical definition of Lindstrom 
quantifiers, we thus see that a Lindstrom quantifier on strings defined by a 
regular language is nothing else than a Lindstrom quantifier (in the classical 
sense) defined by a structure that is a finite monoid multiplication table. 

The class QivionFO is the class of all languages definable by applying a single 
monoidal quantifier to an appropriate tuple of FO formulas. The class FO(QMon) 
is defined analogously, but allowing monoidal quantifiers to be used as any other 
quantifier would (i.e., allowing arbitrary nesting). 

It was known [BIS90] that first-order logic with unnested unary monoidal 
quantifiers characterizes the class of regular languages. Recently this has been 
extended in [LMSVOl] as follows: 

Theorem 6. FO(QMon) = QMonFO = REG. 

One of our results below will be that replacing in this statement the first-order 
quantifiers by monadic second-order quantifiers does not enlarge the expressive 
power. 

A groupoid is a finite multiplication table with an identity element. For a 
fixed groupoid G, each S C G defines a G-word-problem, i.e., a language W(S', G) 
composed of all words w, over the alphabet G, that can be bracketed in such a 
way that w multiplies out to an element of S. Groupoid word-problems relate 
to context-free languages in the same way as monoid word-problems relate to 
regular languages: Every such word-problem is context-free, and every context- 
free language is a homomorphic pre-image of a groupoid word-problem (this 
result is credited to Valiant in [BLM93]). 

The following definition is due to Bedard, Lemieux, and McKenzie [BLM93] : 

Definition 7. A groupoidal quantifier is a Lindstrom quantifier Q l where L is 
a word-problem of some finite groupoid. 

Usage of groupoidal quantifiers in our logical language is signalled by Qcrp) 
used in the same way as described for Qivion above. 

Second-order Lindstrom quantifiers on strings were introduced in [BV98]. 
Here, we are mainly interested in those binding only set variables, so called 
monadic quantifiers. 

Definition 8. Gonsider a language L over an alphabet S = (oi, 02 , . . . , a^). Let 
X = (Vi, . . . , Xk) be a fc-tuple of unary second-order variables, i.e., set variables. 
There are 2"^ different instances (assignments) of X. We assume the following 
ordering on those instances: Let each instance of a single Xi be encoded by a 
bit string s\ - ■ ■ sl^ with the meaning s* = 1 j € Xi. Then we encode 

an instance of X by the bit string • • • s\s\s\ ■ ■ ■ s^ - ■ ■ and order 

the instances lexicographically by their codes. We write X^^'^ < < • • • < 

X for the sequence of all instances in that order. The monadic second-order 
Lindstrom quantifier Ql binding X takes a meaning if s — 1 formulas, each 
having free variables V, are available. Let LpfiX), ip 2 {X), . . . , ips-i{X) be these 
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s — 1 formulas. Then = QLX[ipi{X),ip 2 (X), . . . , i^s_i(X)] holds on a string 
w = Wi ■ ■ ■ Wn, iff the word of length 2”^ whose ith letter, 1 < i < 2"^, is 

01 if w 1= (pi{X^"'’), 

02 if w 1= A (p2{X^''^), 

< 

, Os if to 1= A -•(p2{X^''*) A • • • A -'(fis-iiX^"'^), 

belongs to L. We denote this word by 

Again, taking as examples the languages and Ly, we obtain the usual 
second-order existential and universal quantifiers. 

If L above is a monoid word-problem, then we say that Ql is a monadic 
second-order monoidal quantifier; if L is a groupoid word-problem then Ql is 
called monadic second-order groupoidal quantifier. 

The class mon-Q]^FO is the class of all languages describable by applying 
a specific monadic second-order monoidal quantifier Ql to an appropriate tu- 
ple of formulas without further occurrences of second-order quantifiers. The 
class mon-Qj^Qj,FO is defined analogously using arbitrary monadic second-order 
monoidal quantifiers. The class mon-Qj^^^^SOM is defined analogously using tu- 
ples of SOM formulas. The class SOM(mon-Q^Q,,) is defined analogously, but 
allowing monoidal quantifiers to be used as any other quantifier would (i.e., 
allowing arbitrary nesting). Analogous notation with mon-Qq^p will be used. 

4 Leaf Languages vs. Generalized Quantifiers 

We start by proving a technical lemma which we will need later on. We fol- 
low the treatment of formulas with free variables developed in detail in [Str94, 
pp. 14ff], i.e., such formulas define languages of words with (first- and second- 
order) variables attached to its letters, so called {Vi,V 2 ) -structures for a set Vi 
of first-order and a set V 2 of second-order variables; formally a (Vi, V 2 )-structure 
over A is a word over the alphabet A x 2^^ x 2"^^ where A is the original (letter) 
alphabet. 

Lemma 9. Let A be an alphabet and Vi and V 2 be sets of first- and second-order 
variables. Let X = (Ai, . . . , Xk) be a vector of monadic second-order variables. 
Let Lpi{X) , Lp 2 {X ) , . . . , ips_i{X) be formulas (from any calculus) that define reg- 
ular sets of (Vi, V 2 U {Xi, . . . , Xk})- structures over A. 

Let r = (oi, 02 , . . . , Os) be an ordered alphabet, and let L C A*. Define 
If = QlX\ipi{X),ip 2 {X), . . . ,ips-i{X)\; hence ip is a formula which defines a 
set of {Vi,V 2 ) -structures over A. Then there exists a leaf automaton M that 
accepts the language L,^ when working with leaf language L. 

Proof. Let M\, . . . ,Ms~i be the deterministic automata that accept L;^,,..., 
For 1 < t < s, let M, = (Q*,A x 2^^ x We 
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consider the usual parallel product of the Mi, i.e., Mx =det ^ x 2"^^ x 

2 V 2 U{Xi,...,Xk } , (si, S 2 , . . . , Ss-i), XiZi^i) with a transition function given by 
Sx ((gi, (?2, • • ■ , Qs-i), {v, S, T)) = {Si{qi, (v, S,T)),..., Ss-i{qs-i, (v, S, T))). 

We define our leaf automaton 

M=det {xZlQ^,Sx2^^ x2^^<5,(sl,S2,...,s.-l),^,/3) 

as follows: 

We want M to accept only (Vi, V 2 )-structures as input. Certainly we have 
to simulate the behavior of Mx on every possible instance of A" = {X\, . . . , Xk). 
Each position of an input of Mx may or may not be an element of each (set) 
variable Xi — in other words: If w is an input of M, then for each read letter 
(wj, V{, V^) of w, where wj G S, V{ C Vi, C V 2 , we have to simulate Mx for 
the cases Xi G Xi 2 - So there are 2^ possibilities for simulated inputs 

for each letter of w. We encode the members of ^{{Xi, . . . , Xk}) by S'i, 1 < z < 2^ 
where each set Si is defined by Xj G Si iff the jth bit of binfc(z — 1) (the length 
k binary encoding of the natural number z — 1) is 1 . 

The transition function of M is now defined as (recall that the transition 
function for leaf automata maps into sequences of states) 

^■^((gi, 92, ■ • ■ , 9s-i), (a;, S, T)) = 5x ((<?i, 92, • ■ • , 9s-i), (x, S,TU {S'!})) 

((91, 92, • ■ • , 9s-i), (x, S,TU {5'2})) 



'^ x ((9 i ,92,- • ■,qs-i), (x,S,TU {S2k})) 



Finally we define 

{ oi if qi G Ai, 

02 if 9i ^ Ai A (72 G A 2 , 

. 

Gs A qi i Ai A q 2 i A 2 A ■ ■ ■ A q,s-i 4- ^s-i 

Now M on input w = wi . . . Wn spans a computation tree Tm{w) of depth n and 
branching width 2^. Such a tree has (2^)” = 2"^ leaves. We will now prove that 
the leaf string on Tm{w) is identical to the word (w): 

Each of the 2^ branches on an input letter corresponds to a set S'i, 1 < z < 2^. 
Thus we can encode the branch with the bit string binfc(z— 1) defining Si as above. 
When ordering the leaves on Tm(w), the branching on earlier input letters is of 
higher importance than the branching on later input letters. So we can encode 
a path in Tm{w) by the bit string binfc(zi — l)binfe(z 2 — 1) • • •binfe(z„ — 1) of 
length nk, meaning: on input letter j the set Si^ was chosen. If path I has a 
lexicographically smaller encoding than path I', then the leaf of I has a position 
in the leaf string of Tm{w) to the left of the leaf on path I'. Since there are 
exactly 2^ different bit strings binfc(z), each of those strings corresponds to one 
set Si, and as such it corresponds to the branch z in a forking of the computation 
tree. Thus the space of all 2"^ binary strings of length nk is completely filled 
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with encodings of computation paths. From this follows, that path number I 
in the computation tree is encoded by the bit string of length nk which is the 
binary representation of ^ — 1. 

Now we want to show that on path I the tuple of sets (using the notation 
from Def. 8) is simulated. The encoding of path I is the binary string 2 ; repre- 
senting the number I — 1. We can split z in n parts of length k: z = Z 1 Z 2 ■ ■ ■ Zn- 
As said before, the bit string zj = ZjZj...Zj encodes the simulation of sets 
Xi in this way: Zj = 1 iff the set Xi was chosen on input letter j. So the 
value of the variable Xi depends on the values of z\, Z 2 , ■ ■ ■ , z^^ of the string 
2 ; = z\zf . . . Z 1 Z 2 Z 2 . . .Z 2 ■ ■ ■ zj^z^ ■ ■ - Zn- But since 2 ; represents the number I — 1, 
this is exactly the definition of the tuple 

Thus we conclude that on path I of the computation tree we simulate the 
behavior of the machines Mi, . . . , M„ on input w supplemented by X^\ Each 
Mfc simulates the formula ipk- So, if on reading the last input letter the state 
is reached on machine then it holds Qk € Ak iS w \= ipk{X^^^). 

From the definition of the function (3 we see that the leaf letter on path I is 

01 if w 1= ipi{X^^^), 

02 if w 1= a 

, Os if w 1= ~'ipi{X^’'^) A a • • • a 

But this is the letter I of the word (w) (see Def. 8). This completes the 

proof that the leaf string on computation tree Tm{w) is identical to the word 

This implies w \= QlA [ v3i(X), <^ 2 (A), . . . , (^^_i(A)] iff G T iff 

leafstring'^(w) G L. Thus M with leaf language L accepts the language L^. □ 

Let N be the class of all languages that have a neutral letter; i.e., L C F* is 
in N if there is a letter € G F such that, for all u,v G F* , we have uv G L 
U’€v G L. 

Our main result in this section states that, for all languages L G N, finite 
automata with leaf language L accept exactly those languages definable with a 
monadic Q\ quantifier. 

Theorem 10. For any L G N, Leaf^^(L) = mon-(5},FO. 

Proof. We first consider the inclusion Leaf^^(L) A mon-Q^FO. 

Let be a mon-Qj^FO-formula which defines a language L^p C X*. Then (p 
will have the form (5 lA[(^i(A), (/ 22 (A), . . . , (/?s_i(A)] for some formulas ipi{X), 
1 < i < s — 1, which are first order except of the occurrence of the monadic 
variables in X. Hence we conclude by Lemma 9 that there must exist a leaf 
automaton M^, which accepts the language L^p. 

It remains to prove the opposite inclusion Lear (L) C mon-(5)^FO. 
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Let r = {ai, 02 , . . . , Os-i,€}, let L G N D y(F*) where € is neutral, and 
let M = {Q,S,5,qi,r,f}) be a leaf automaton. Suppose that M working with 
leaf language L accepts a certain language ACS*. We have to construct a 
mon-(3)^FO-formula (f such that = A. 

First, order the leaf alphabet in such a way that € is the last symbol in F, e.g., 
r = (oi, 02 , . . . , Os_i,€). Let Q = {qi, ■ ■■ ,qi} and let m =def max{ \S{q, o)| | 
q G Q,a G S} . Formula ip will be of the form QLX\ipi{X),ip 2 {X ), . . . , (/?g_i(X)] 
where X =def , Xi, Yj, . . . , Fi). 

We want to encode the number of a computation path of M on input w in 
the variables W- This will be done in the following way: j G Xi M reading 
the j-th symbol of w chooses the t-th alternative of the successor function. 

In the variables Yi we want to encode the sequence of states of M on input 
w on a certain computation path. We shall do this in the following form: j G Yi 
iff M (on that computation path whose number is given by variables Xi) while 
reading the j-th symbol of the input is in state qi. 

The formulas ifk on input w and an instance of X thus have to express the 
following: 

1. All (fik have to test whether the Xi encode a computation path of M on w. 

If this is not the case (e.g. if there exists a j and ii ^ i 2 with j G and 
j G Xi^) then w ^ ipk(X) for all /c G {1, . . . , s — 1}. (A look at the definition 
of shows that the letter of (w) yielded by X will then 

be €.) 

2. All ipk have to test whether the Yi encode the correct sequence of states of 

M for the computation path encoded by the Xi. If this is not the case then 
w ipk(X) for all fc G {1, . . . , s — 1}. (The letter of (w) yielded by 

X thus again will be €.) 

3. If X encodes a computation of M — i. e., if the Xi encode the number of a 

path of M and the Yi encode the correct sequence of states of M on that 
path — then w ^ ipk{X) iff M on the computation path encoded by the Xi 
produces the leaf letter ak. (The letter of (w) yielded by X will 

then be identical to the leaf letter produced by M on the computation path 
encoded by the Xi.) 

It is easy to construct FO-formulas with this behavior. 

We now show that the word is essentially equal to the word 

leafstring*^(w), more precisely: that both words are identical once all occurrences 
of the letter € are deleted from them; hence they are equivalent w.r.t. membership 
in L. 

Since each computation of M is encoded by a certain instance of X, each 
letter in leafstring'^(w) is contained in (rc), also. And since each in- 

stance of X not encoding a sensible computation of M yields the letter € in 
('^)> know that the amount of each letter different from € in both 
words is identical. All there is left to do is showing that their sequences are 
identical in both words. 
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Let Pi and p 2 be computation paths in M, u and v their respective leaf 
letters and Xi and X 2 the encoding of the sensible computations associated 
with these paths (it was shown above that then u and v are also the letters of 
(tc) produced by Xi and X 2 ). We show that pi is positioned before p 2 
iff the encoding of Xi is of lower order than the encoding of X 2 . 

The encoding of an instance Xk, according to the definition of (w), 

can be separated into n bit strings of length m + l. Each of those strings is of the 
form Xm ■ ■ ■ . . . ,yi. The j-th such string corresponds to the input letter j 

with the meaning Xi = 1 O j G W (there will always be only one Xj = 1, since 
the Xk are correct encodings) and yi = 1 ^ j G Yi (there will also always be 
only one yi = 1). 

Two computation paths that differ have a word position on which the first 
difference occurs. We call it d. Up to position d not only the sequences of succes- 
sor function choices are identical for both paths but also the sequence of states 
M assumes while reading letters of w] this holds because the computations so 
far are identical. 

But from this it follows that the encodings of the Xk are identical up to the 
bit string number d. So, this string decides which encoding is of higher order. 
Let the d-th string of X\ he . . . xlyf ■ ■ .yl and of X 2 he x“^ . . . x\yf ■ ■ .y\. 

The unique x;( = 1 is the choice for the successor function on computation 
path Pi and input letter d while the x^ = 1 is the corresponding choice for 
path p 2 - Then a < 6 iff pi is ordered before p 2 in Tm{w) (this is due to the 
ordering which the successor function imposes on the computation tree) and 
the string x]^ . . . xl . . . x^ . . . x\yl ■ ■ .yl = 0 . . . 0 . . . 1 . . . Oyl . . . is smaller than 
x^ . . . x^ . . . x„ . . . xlyf . . .yf = 0 . . .1 . . .0 . . . Oyf ■ ■ .yf. Thus the ordering of Xi 
and X 2 is identical to the ordering of pi and p 2 ■ 

This concludes the proof that the words (w) and leafstring^(w) are 

identical if the letters € are not considered. Thus w G A iff leafstring^(w) G L 
iff G L iff w G L^, hence we conclude that p defines the language 

A accepted by M. □ 

5 Monoidal Quantifiers 

We can now give an extension of Proposition 3: if we extend the monadic second- 
order formalism by monoidal quantifiers, we do not gain expressive power. 

Theorem 11. mon- QlionFO = FO(mon-gJ^„„) = 

mon-Qj^QjjSOM = SOM(mon-gj^Qjj) = REG. 

Proof. The inclusions mon-Qj^^j^FO C mon-Qj^^j^SOM C SOM(mon-gJ^Qjj) and 
mon- Qmo„FO C FO(mon-g 

Mon ) C SOM(mon-gJ^^„) are trivial. 

For the inclusion REG C mon-gJ^^j^FO we use the fact that every regular lan- 
guage can be defined by an SOM formula with only one second-order existential 
quantifier preceding a first-order formula [Tho82], and an existential quantifier 
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is one particular monoidal quantifier — as already mentioned, it is equivalent to 
Ql^ with La = 0*1(0+ 1)*. 

Now all there is left to do is proving that SOM(mon-QMon) — REG. We do 
this closely following the proof of Theorem III. 1 . 1 in [Str94] . There, SOM C REG 
is proven proceeding by induction on the construction of second order monadic 
formulas. Since here we have SOM-formulas with one additional constructive 
element — the Lindstrom quantifier — we have to extend the inductive proof by 
one step: 

Let S be an alphabet and Vi and V 2 be sets of first- and second-order 
variables. Then a formula (f G SOM(mon-(5j^^Qjj) with free variables Vi U V 2 
accepts a language G {S x 2^^ x 2^^)*. We have to prove that is a 
regular language. As mentioned, the proof proceeds by induction, see [Str94, 
pp. 21ff]. The additional case in the induction step for us here is that of (p = 
QlX\_‘Pi{X),(P 2 {X), . . . ,(ps-x{X)\-. By induction hypothesis there exist deter- 
ministic automata Mi, M 2 , ■ ■ ■ , Ms_i that accept the (Vi, V 2 U {Xi, . . . , Xk})- 
structures that model (pi, p> 2 , ■ ■ ■ , p>s-\- Hence we can use Lemma 9 to conclude 
that there is a leaf automaton M,p that accepts L^ when working w.r.t. leaf 
language L. 

But since L is regular, we can use Proposition 2 to see that then L<^ is regular, 
too. This concludes the induction and the proof of the theorem. □ 

This result, together with the result of Thomas [Tho82] mentioned in the 
above proof, leads immediately to the following normal form for monadic second- 
order monoidal logic: 

Corollary 12. Every SOM{mon-Qlji^^)-formula is equivalent to a formula of 
the form 3 Xlp{X), where X is a set variable and is a formula without second- 
order quantifiers. 



6 Groupoidal Quantifiers 

Finally, we examine the power of monadic second-order groupoidal quantifiers. 
These are powerful enough to define every language in LOGGFL, as we prove 
next. 

Theorem 13. LOGGFL C mon-Q^^pFO. 

Proof. Lautemann et al. in [LMSVOl] showed that LOGGFL = QcrpFO. This 
means that for every language L G LOGGFL there is a sentence ip in first-order 
logic prefixed with a generalized quantifier for a context-free language such that 
L E(p . 

However, such a GFL-quantifier can easily be simulated by a monadic second- 
order Lindstrom quantifier defined by another context-free language as follows: 
Gonsider the formula ip = QlX\- ■ ■ Xk\}f{xi- ■ ■ Xk)\ for first-order formula ip 
and context-free language L over (0, 1) (the case of larger alphabets proceeds 
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completely analogously). Let L' be obtained from L by adding a neutral letter, 
i.e., L' is defined over alphabet (0, 1,€) where € is neutral. Define 

= Ql'Xi ■■■Xk [MXi • • • Xfe), V^2(^1 • • • Xk )] , 



where 

V'i(Xi • • • Xk) = 3xi • • • Xfc f AL i & XiA Vt/(y £ Xi ^ Xi = y)) A i>{x)j , 

'ip 2 {Xi ■ ■ ■ Xk) = 3xi---Xk ^ALi ^ XiA \/y{y G Xi ^ x, = y)) A ~'ip(x)"j . 

Then the only assignments of a set variable Xi that do not lead to output symbol 
€ in are the singleton sets, and these correspond (in the same relative 

order) to assignments of Xi in ip. Hence, for every input w, G 

L' G L, and thus, = L^>. 

This proves LOGCFL = QcrpFO C mon-(5Q,.pFO. □ 

Peichl and Vollmer, after introducing finite leaf automata in [PVOl], exam- 
ined the power of various classes of leaf languages and thus obtained a number 
of new characterizations of complexity classes and formal language classes. One 
particular case, left open in that paper, is the following: What is the power of 
finite leaf automata with context-free leaf languages, i.e., how does the class 
Leaf^^(CFL) relate to other well-known classes? The only upper and lower 
bounds known were CFL C Leaf^^(CFL) C DSPACE(nA n DTIME(2<^(”)) . 
Here, we improve the lower bound. 

Corollary 14. LOGCFL C Leaf (CFL). 

Proof. From Theorem 13, we obtain LOGCFL C mon-Qg^-pFO = mon-QgpLFO. 
By Theorem 10, however, the latter class is equal to Leaf^^(CFL), yielding 
LOGCFL C Leaf (CFL). □ 

7 Conclusion 

We considered monadic second-order logic extended with generalized quantifiers. 
We contributed to the study of the expressive power of such logics as well as to 
the study of the power of finite automata with generalized acceptance criteria. 
So far, we did not exploit the close connection between logical reductions and 
generalized quantifiers. This might lead to further interesting consequences. 

One of the results of this paper is that by adding arbitrary monadic second- 
order monoidal quantifiers to SOM does not give us more power. On the other 
hand one might ask what specific regular languages L besides (for nonde- 
terministic acceptance, see Theorem 11 and Corollary 12) there are, for which 
QfFO = REG. Even for a very “easy” language obtained from deterministic 
acceptance of regular languages, namely L^et = 1(0 -I- 1)*, we have Qi^^^FO = 
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REG. (This implies easily that also FO = REG.) Gan interesting sub- 

classes of REG be defined with restricted quantifiers? 

Still open remains a complete clarification of the power of Leaf (GEL). 
We proved LOGGFL C Leaf (GEL). It is relatively easy to see that every 
language in Leaf (GEL) can be accepted by auxiliary pushdown automata 
with linear space and simultaneous exponential time bound; hence LOGGFL = 
NAuxPDA-SPAGE-TIME(logn,n‘^(F) c Leaf^^(GFL) C NAuxPDA-SPAGE- 
TIME(n, Is one of these inclusions actually an equality? And how do 

the logics in the range from mon-(5Qj.pFO to SOM(mon-QQj.p) relate to these 
classes? 

Acknowledgment 

We thank Gerhard Buntrock (Liibeck), Klaus-Jorn Lange (Tubingen), Klaus 
Reinhard (Tubingen), and, in particular, Sven Kosub (Wurzburg) for helpful 
discussions. We also thank the anonymous referees for hints that helped to im- 
prove the presentation of the paper. 



References 



[BE58] 

[BIS90] 

[BLM93] 

[Biic62] 

[BV98] 

[Coo71] 

[EF95] 

[Lin66] 

[LMSVOl] 



[MP71] 



J. R. Biichi and C. C. Elgot. Decision problems of weak second order arith- 
metics and hnite automata, Part I. Notices of the American Mathematical 
Society, 5:834, 1958. 

D. A. Mix Barrington, N. Immerman, and H. Straubing. On uniformity 
within NC^. Journal of Computer and System Sciences, 41:274-306, 1990. 
F. Bedard, F. Lemieux, and P. McKenzie. Extensions to Barrington’s M- 
program model. Theoretical Computer Science, 107:31-61, 1993. 

J. R. Biichi. On a decision method in restricted second-order arithmetic. In 
Proeeedings Logic, Methodology and Philosophy of Sciences 1960, Stanford, 
CA, 1962. Stanford University Press. 

H.-J. Burtschick and H. Vollmer. Lindstrom quantifiers and leaf language 
dehnability. International Journal of Foundations of Computer Science, 
9:277-294, 1998. 

S. A. Cook. Characterizations of pushdown machines in terms of time- 
bounded computers. Journal of the Association for Computing Machinery, 
18:4-18, 1971. 

H.-D. Ebbinghaus and J. Flum. Finite Model Theory. Perspectives in 
Mathematical Logic. Springer Verlag, Berlin Heidelberg, 1995. 

P. Lindstrom. First order predicate logic with generalized quantifiers. 
Theoria, 32:186-195, 1966. 

C. Lautemann, P. McKenzie, T. Schwentick, and H. Vollmer. The descrip- 
tive complexity approach to LOGCFL. Journal of Computer and Systems 
Sciences, 2001. To appear. A preliminary version appeared in the Proceed- 
ings of the 16th Symposium on Theoretical Aspects of Computer Scienee, 
Lecture Notes in Computer Science Vol. 1563, pp. 444-454, Springer Ver- 
lag, 1999. 

R. McNaughton and S. Papert. Counter-Free Automata. MIT Press, 1971. 




368 



Matthias Galota and Heribert Vollmer 



[PVOl] 

[Str94] 

[Sud78] 

[Tho82] 

[Tra61] 



T. Peichl and H. Vollmer. Finite antomata with generalized acceptance 
criteria. Discrete Mathematies and Theoretical Computer Scienee, 2001. 
To appear. A preliminary version appeared in the Proceedings of the 26th 
International Colloqium on Automata, Languages, and Programming, Lec- 
ture Notes in Computer Science Vol. 1644, pp. 605-614, Springer Verlag, 
1999. 

H. Straubing. Finite Automata, Formal Logic, and Circuit Complexity. 
Birkhauser, Boston, 1994. 

I. H. Sudborough. On the tape complexity of deterministic context-free 
languages. Journal of the Association for Computing Machinery, 25:405- 
414, 1978. 

W. Thomas. Classifying regnlar events in symbolic logic. Journal of Com- 
puter and Systems Sciences, 25:360-376, 1982. 

B. A. Trakhtenbrot. Finite automata and logic of monadic predicates. 
Doklady Akademii Nauk SSSR, 140:326-329, 1961. In Russian. 




An Effective Extension of the 
Wagner Hierarchy to Blind Counter Automata 



Olivier Finkel 

Equipe de Logique Mathematique 
U.F.R. de Mathematiques, Universite Paris 7 
2 Place Jussieu 75251 Paris cedex 05, France 
f inkelSlogique . jussieu.fr 



Abstract. The extension of the Wagner hierarchy to blind counter au- 
tomata accepting infinite words with a Muller acceptance condition is 
effective. We determine precisely this hierarchy. 

Keywords: w-languages; blind counter automata; effective extension of 
the Wagner hierarchy; topological properties; Wadge hierarchy; Wadge 
games. 



1 Introduction 

Regular w-languages are accepted by (deterministic ) Muller automata. Finite 
machines having a stronger expressive power when reading infinite words have 
also been investigated [Sta97a]. Recently Engelfriet and Hoogeboom studied X- 
automata, i.e. automata equipped with a storage type X, including the cases of 
pushdown automata, Turing machines, Petri nets [EH93]. A way to investigate 
the expressive power of such machines is to study the topological complexity of 
the w-languages they accept. For deterministic machines, it is shown in [EH93] 
that every X-automaton accepts boolean combinations of Il^-sets. Hence in or- 
der to distinguish the different storage types it turned out that the study of 
the Wadge hierarchy is suitable. The Wadge hierarchy is a great refinement of 
the Borel hierarchy, recently studied by Duparc [Dup99a]. The Wadge hierar- 
chy of w-regular languages has been determined in an efective way by Wagner 
[Wag79]. Several extensions of this hierarchy have been recently determined as 
the extension to deterministic pushdown automata, to /c-blind counter automata, 
[DFROl] [Dup99b] [FinOOb]. We present here the extension to (one) blind counter 
automata, which is the first known effective extension. We study Muller blind 
counter automata (MBCA), and define chains and superchains as Wagner did 
for Muller automata. The essential difference between the two hierarchies relies 
on the existence of superchains of transfinite length a < for MBCA. The 
hierarchy is effective and leads to effective winning strategies in Wadge games 
between MBCA. The hierarchy of Muller automata equipped with several blind 
counters is presented in a non effective way in [FinOOb] [DFROl]. 
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2 Regular and Blind Counter cj-Languages 

We assume the reader to be familiar with the theory of formal languages and 
of w-regular languages, see for example [HU69], [Tho90]. We first recall some 
definitions and results concerning w-regular languages and omega pushdown au- 
tomata and introduce blind counter automata as a special case of pushdown 
automata [Tho90] [Sta97a]. 

When 17 is a finite alphabet, a finite string (word) over S is any sequence 
X = xi . . . Xk, where Xi G S for i = 1, . . . ,k, and k is an integer > 1. The length 
of x is k, denoted by |x|. If \x\ = 0, x is the empty word denoted by A. 

We write x{i) = Xi and x[i] = a;(l) . . . x{i) for i < fc and x[0] = A. S* is the 
set of finite words over S . The first infinite ordinal is u>. An w-word over S is 
an w -sequence ai . . . a„ . . ., where Oj G A7, Vi > 1. When a is an w-word over A7, 
we write a = ct(1)ct(2) . . . a{n) . . . and a[n] = cr(l)cr(2 ) . . . a(n) the finite word 
of length n, prefix of a. The set of w-words over the alphabet S is denoted by 
A7“. An w-language over an alphabet A7 is a subset of A7‘^. 

The usual concatenation product of two finite words u and v is denoted u.v 
(and sometimes just uv). This product is extended to the product u.v of a finite 
word u and an w-word v. 

For V C S*, = {a = Ui ... Un ■■■ G fui G Vyi> 1} is the w-power of 

y. 

R. Me Naughton established that the expressive power of deterministic Muller 
automata (DMA) is equal to the expressive power of non deterministic Muller 
automata (MA) [Tho90] . An w-language is regular iff it is accepted by a Muller 
automaton. The class REGui of w-regular languages is the w-Kleene closure of 
the class REG of (finitary) regular languages where the w-Kleene closure of a 
family L of finitary languages is: 

tc - KG{L) = /Ui,V, G L,Vz G [l,n]} 

We now define the (blind) one counter machines which we assume here to be 
realtime and deterministic, and the corresponding classes of blind counter w- 
languages. 

Definition 1. A (realtime deterministic) pushdown machine (RDM) is a 6-tuple 
M = {K, E, r,S,qo, Zq), where K is a finite set of states, E is a finite input 
alphabet, E is the finite pushdown alphabet, qo G K is the initial state, Zq G E 
is the start symbol, and 5 is a mapping from K x E x E into K x E* . 

If J G E^ describes the pushdown store content, the leftmost symbol will be 
assumed to be on “top” of the store. A configuration of a PDM is a pair ((7,7) 
where q G K and 7 G T*. 

For a G E, G E* and Z G E, if {p,j3) is in 5{q,a,Z), then we write 
a : (g,^7 ) h>m {p,fil)- 

^*M is the transitive and reflexive closure ofe^M- (The subscript M will be 
omitted whenever the meaning remains clear). 

Let a = 0102 . . . o„ . . . be an uj-word over E. An infinite sequence of configu- 
rations r = (<?i,7i)i>i is called a run of M on a, starting in configuration (75,7), 
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1 - (91,71) = (P, 7 ) 

2. for each f > 1, : (gi,7i) H>m (gi+i,7i+i) 

For every such run, In{r) is the set of all states entered infinitely often during 
run r. 

A run r of M on a, starting in configuration (qo,Zo), will be simply called 
“a run of M on a”. 

A one counter machine is a PDM such that F = {Zg,!} where Zq is the 
bottom symbol and always remains at the bottom of the store. So the pushdown 
store is used like a counter whose value is the integer n if the content of the 
pushdown store is I^Zq. 

A one blind counter machine is a one counter machine such that every tran- 
sition which is enabled at zero level is also enabled at non zero level, i.e. if 
S{q,a,Zo) = {p,I"Zq), for some p,q G K , a G S and n > 0, then 5{q,a,I) = 
(p , But the converse may not be true, i.e. some transition may be enabled 
at non zero level but not at zero level. 



Definition 2. A Muller (realtime deterministic) blind counter automaton 
(MBCA) is a 7-tuple A = (K, S, F, S, qo, Zo, T) where Al = (K, S, F, S, qo, Zq) 
is a (realtime deterministic ) one blind counter machine and if Q 2^ is the 
collection of designated state sets. 

The Lo-language accepted by M is L{A) = {a G / there exists a run r of 
A on a such that In{r) G T}. 

The class of uj-languages accepted by MBCA will be denoted BC. 



Remark 3. Machines we call here one blind counter machines are sometimes 
called one partially blind counter machines as in [Gre78]. 



Remark 4. If M is a deterministic pushdown machine, then for every a G , 
there exists at most one run r of M on a determined by the starting configura- 
tion. Each co-language accepted by a Muller deterministic pushdown automaton 
(DMPDA) can be accepted by a DMPDA such that for every a G there 
exists such a run of M on a. 

But this is not true for MBCA because some words x may be rejected by an 
MBCA A because the machine A blocks at zero level when reading x. This is 
connected with the fact that the class BC is not closed under complementation 
as it is shown by the following example. 



Example 5. It is easy to see that the co-language L = {a^bPcF / p < n} is 
accepted by a deterministic MBCA, but its complement is not accepted by any 
deterministic MBCA because L' = {a^bPA’ / p > n} is not accepted by any 
deterministic MBCA. 
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3 Topology 

We assume the reader to be familiar with basic notions of topology which may 
be found in [Kur66] [LT94] [Sta97a] [PP98]. 

Topology is an important tool for the study of w-languages, and leads to 
characterization of several classes of w-languages. 

For a finite alphabet X, we consider as a topological space with the 
Cantor topology (see [LT94] [Sta97a] [PP98]). The open sets of are the 
sets in the form W.X^ , where W C X* . A set L C X^ is a closed set iff its 
complement A“ — L is an open set. The class of open sets of will be denoted 
by G or by The class of closed sets will be denoted by F or by II^. Closed 
sets are characterized by the following: 

Proposition 6. A set L C A“ is a closed set of X^ iff for every a G 
[Vn > 1, 3 m G A“ such that cr(l) . . . a(n).u G L] implies that a G L. 

Define now the next classes of the Hierarchy of Borel sets of finite rank: 

Definition 7. The classes and 11° of the Borel Hierarchy on the topological 
space A“ are defined as follows: 
is the class of open sets of X'^ . 
n? is the class of closed sets of X^ . 

n° or Ga is the class of countable intersections of open sets of X^ . 

S 2 or Fct is the class of countable unions of closed sets of X'^ . 

And for any integer n>l: 

^n+i ^^6 class of countable unions of sub sets of X^ . 

n°^i is the class of countable intersections of sub sets of X^ . 

There is a nice characterization of IlS-subsets of X'^ . First define the notion of 

Definition 8. For W C X*, let: 

= {a G X'^ jA^i such that a[i] GW}. 

(a G W^ iff a has infinitely many prefixes in W ). 

Then we can state the following Proposition: 

Proposition 9. A subset L of X‘^ is a U^-subset of X‘^ iff there exists a set 
WCX* such that L = . 

Me Naughton’s Theorem implies that every w-regular language is a boolean 
combination of Gg-sets, hence a Ag = (Ilg fl ^^(-set. This result holds in fact 
for every w-language accepted by a deterministic X-automaton in the sense of 
[EH93], i.e. an automaton equipped with a storage type X, including the case of 
the Turing machine. A way to distinguish the expressive power of finite machines 
reading w-words is the Wadge hierarchy which we now introduce. 
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Definition 10. For E C and F C , E is said to be Wadge reducible to 
F (E <\Y F) iff there exists a continuous function / : X‘^ — >■ such that 
E = f-ffF). 

E and E are Wadge equivalent iff E <w F and F <w E. This will be 
denoted by E =w E. And we shall say that E <w F iff E <w E but not 
F '^w E. 

A set E C is said to be self dual iff E (AT“ — E), and otherwise it is 
said to be non self dual. 

The relation is reflexive and transitive, and =w is an equivalence relation. 
The equivalence classes of =w are called wadge degrees. 

WFl \s the class of Borel subsets of finite rank of a set X'^ , where X is a 
finite set, equipped with <w and with =w- 

For E C X“ and F C if E <w F and E = f~^{E) where / is a 
continuous function from X“ into then / is called a continuous reduction 
of E to F. Intuitively it means that E is less complicated than F because to 
check whether x G E it suffices to check whether f{x) G F where / is a con- 
tinuous function. Hence the Wadge degree of an w-language is a measure of its 
topological complexity. 

Remark 11. In the above definition, we consider that a subset E C is given 
together with the alphabet X. This is necessary as it is shown by the following 
example. 

Let E = {0, 1}“ considered as an co-language over the alphabet X = {0, 1} 
and let E = {0, 1}“ be the same co-language considered as an co-language over 
the alphabet Y = {0,1,2}. Then E is an open and closed subset o/ (0, 1}“ but 
E is a closed and non open subset of {0, 1, 2}“. It is easy to check that E <w F 
hence E and E are not Wadge equivalent. 

Then we can define the Wadge class of a set E-. 

Definition 12. Let E be a subset of X‘^ . The wadge class of E is [F] defined 
by: [F] = {E/E C Y'^ for a finite alphabet Y and E <w Fj. 

Recall that each Borel class and 11° is a Wadge class. 

There is a close relationship between Wadge reducibility and games which we 
now introduce. Define first the Wadge game W{A, B) for A C X/( and B C X/{: 

Definition 13. The Wadge game W {A, B) is a game with perfect information 
between two players, player 1 who is in charge of A and player 2 who is in charge 
ofB. 

Player 1 first writes a letter oi G Xa, then player 2 writes a letter b\ G Xb, 
then player 1 writes a letter 02 G Xa, and so on .. . 

The two players alternatively write letters a„ of X a for player 1 and bn of Xb 
for player 2. 

After CO steps, the player 1 has written an co-word a € and the player 2 has 
written an co-word b G X%. 

The player 2 is allowed to skip, even infinitely often, provided he really write an 
co-word in co steps. 
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The player 2 wins the play iff [a G A ^ b G BJ, i.e. iff 

[(a G A and b G B) or (a ^ A and b ^ B and b is infinite^/. 

Recall that a strategy for player 1 is a function cr : {Xb U {s})* — >■ Xa- And a 
strategy for player 2 is a function / : X^ -G Xb U {s}. 

CT is a winning stategy (w.s.) for player 1 iff he always wins a play when he uses 
the strategy cr, i.e. when the letter he writes is given by a„ = cr(6i . . . 6„_i), 
where bi is the letter written by player 2 at step i and bi = s if player 2 skips at 
step i. 

A winning strategy for player 2 is defined in a similar manner. 

Martin’s Theorem states that every Gale-Stewart Game G{X) (see [Tho90] 
[PP98] for more details), with X a borel set, is determined and this implies the 
following: 

Theorem 14 (Wadge). Let A C X'^ and B C Xg be two Borel sets, where 
Xa and Xb are finite alphabets. Then the Wadge game W{A,B) is determined: 
one of the two players has a winning strategy. And A <w B iff the player 2 has 
a winning strategy in the game W{A,B). 

Recall that a set X is well ordered by a binary relation < iff < is a linear order on 
X and there is not any strictly decreasing (for <) infinite sequence of elements 
in X. 

Theorem 15 (Wadge). Up to the complement and =w> the class of Borel 

subsets of finite rank of X'^ , for X a finite alphabet, is a well ordered hierarchy. 

There is an ordinal |lPil|, called the length of the hierarchy, and a map d^ from 

WH onto |lPil|, such that for all A,B G WH: 

d^A < d^B GG A <w B and 

d^A = dy^B GG [A =w B or A =\y B~]. 

Remark 16. We do not give here the ordinal |lPil|. Details may be found in 
[Dup99a]. 

4 Wagner Hierarchy and Its Extension 
to Blind Counter Automata 

Gonsider now w-regular languages. Landweber studied first the topological prop- 
erties of w-regular languages. He characterized the w-regular languages in each 
of the Borel classes F, G, F^, G^, and showed that one can decide, for an effec- 
tively given w-regular language L, whether L is in F, G, Fa-, or G^. 

It turned out that an w-regular language is in the class Ga iff it is accepted 
by a deterministic Biichi automaton. These results were refined by K. Wagner 
who studied the Wadge Hierarchy of w-regular languages. In fact there is an 
effective version of the Wadge Hierarchy restricted to w-regular languages: 

Theorem 17 (Corollary of Biichi-Landweber’s Theorem [BL69]). For 

A and B some u-regular sets, one can effectively decide which player has a w.s. 
in the game W{A,B) and the winner has a w.s. given by a transducer. 
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The hierarchy obtained on w-regular languages is now called the Wagner hier- 
archy and has length Wagner [Wag79] gave an automata structure charac- 
terization, based on notion of chain and superchain, for an automaton to be in 
a given class and showed that the Wadge degree of an w-regular language is 
computable. Wilke and Yoo proved in [WY95] that this can be done in polyno- 
mial time. Wagner’s hierarchy has been recently studied by Carton and Perrin 
in connection with the theory of w-semigroups [CP971 [CP981 [PP981 and by 
Selivanov in [Sel98]. 

We present in this paper an extension of the Wagner hierarchy to the class of 
blind counter w-languages, using analogous notions of chains and superchains. 
We shall first define positive and negative loops, next chains and superchains. A 
crucial fact which allows this definition is the following lemma: 

Lemma 18. Let A = (K, S, r,S,qoi Ao,tF) be a MBCA and x € such that 
there exists an infinite run r = /"*Zo)i>i of A over x such that Inf{r) = 

F C K. Then there exist infinitely many integers i such that for all j > i, 
Uj > Ui- Among these integers there exist infinitely many integers ik, k>l, and 
a state q € K such that for all k > 1, qi^. = q. Then there exist two integers s, s' 
such that between steps is and is' of the run r, A enters in every state of F and 
in not any other state of K, because Inf{r) = F. 

Proof. With the hypotheses of the lemma, assume that r = (g^, is an 
infinite run of M over x. If there exist only finitely many integers i such that for 
all j > i, Uj > Ui, then there exists a largest one 1. But then if jo is an integer 
> I there exists an integer ji > jo such that nj^ < Ujg. By induction one could 
construct a sequence of integers {jk)k>o such that for all fc, < nj^. This 

would lead to a contradiction because every integer is positive. 

Then there exist infinitely many integers i such that Vj > i, Uj > Ui. The 
set of states is finite, hence there exists a state q G K and infinitely many such 
integers ik, k > 1, such that for all k > 1, qi^. = q and ni^. > 0 or for all fc > 1, 
qik = Q and = 0. Now if Inf{r) = F, the states not in F occur only finitely 
many times during run r thus there exist two integers s < s' such that the set 
of states A enters between steps is and is' of the run r is exactly F. 

Remark 19. The proof of Lemma 18 relies on a simple property of local minima 
of functions mapping natural numbers to themselves. A similar argument is due 
to Linna [Linll]. 

Then we shall write 

(a) (g,/)4 (g,/+) 

(b) (q,L)^* (q,L=) 

(c) (g,Zo)4 (q,Zo) 



if > 0 and nt^, > Ui^ 

if > 0 and 

if = 0 and Ui^, = 0 



The set F is said to be an essential set (of states) and we shall say that in 
the case (a) there exists a loop L{q,I,F,+), in the case (b) there exists a loop 
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L{q, J, F, =), in the case (c) there exists a loop L{q, Zq, F, =). Such a loop is pos- 
itive if F G F and it is negative if F ^ F. We then denote the loop L{q, I, F, =) 
by L~^{q, I, F,=) or L~{q,I,F,=) and similarly in the other cases. 

Lemma 20. The set of essential sets and the set of positive and negative loops 
of a MBCA is effectively computable. 

This follows from the decidability of the emptiness problem for context free 
languages accepted by pushdown automata. 

We assume now some familiarity with the Wagner hierarchy as presented 
in [Wag79] [Sta97a]. The next step is to define, following Wagner’s study, the 
(alternating) chains. Let F+ (respectively E~) be the set of essential sets in T 
(respectively not in F) . An alternating chain of length n is in the form 



Fi C F 2 C F 3 C . . . F„ 

where Fi € F+ iff F^+i G E~ for 1 < i < n. It is a positive chain if F\ G F+ 
and a negative chain if Fi G E~ . 

As in the case of Muller automata [Sta97a], one can see that if F is a maximal 
essential set then all (alternating) chains of maximal length contained in F have 
the same sign (positive or negative) because in every chain of maximal length 
contained in F one can replace the last essential set by F itself. Let then 1{F) 
be the maximal length of chains contained in F and s(F) be the sign of these 
chains. 

We now define the first invariant of the MBCA A as m{A ) being the maximal 
length of chains of essential sets. Lemma 18 is crucial because it makes every 
essential set F^ of a chain Fi C F 2 C F 3 C . . . F„ to be indefinitely reachable from 
{q, I) (respectively {q, Zq)) if there exists a loop L{q, I, F„, -|- or =), (respectively 
L{q,Zo,F„,=)). 

The great difference between the case of Muller automata and the case of 
MBCA comes with the notion of superchain. Briefly speaking in a MA A a 
superchain of length n is a sequence Fi, . . . , of chains of length m{A ) such 
that for every integer i, 1 < i < n, Si+i is reachable from Si and Fi+i is positive 
iff Si is negative. In the case of MA, Si cannot be reachable from Fi+i otherwise 
there would exist a chain of length >m(M ). 

But in the case of MBCA, in such a superchain. Si may be reachable from 
S,+i but with a reachability which is limited by the counter. This leads 
to the notion of superchains of length w, where ui is the first infinite ordinal, and 
next of length a where a is an ordinal < 

An example of a MBCA A with m{A )= m and a superchain of length oj is 
obtained from two MA B and B' such that the graph of B is just constituted by a 
positive chain of length m with a maximal essential set Fm = {<71, • . • <Zm} and the 
graph of B' is just constituted by a negative chain of length m with a maximal 
essential set Ff^ = {q'^, . . . q'^}. The behaviour of the MBCA A is as follows: at 
the beginning of an infinite run, the counter may be increased up to a counter 
value N] then there exist transitions from state q\ to q'l and conversely from 
state q'l to q\ but these transitions make the counter value decrease. Moreover 
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A has also the transitions of the two MA B and B' but these transitions do not 
change the counter value. Then one can see thet after a first transition from 
state qi to q'l or from q'^ to q\ the number of such transitions is bounded by the 
counter value N , but this initial value may be chosen > no where no is any given 
integer. 

Let then A be a MBCA such that m{A )= m and such that A has positive 
and negative chains of length m. A superchain of length to is formed by two 
maximal loops L'^{q,I:Fm,+ or =) and L~ {q' , I , + or =) of such chains, 

i.e. Fjn is the last element of a positive chain of length m and F^ is the last 
element of a negative chain of length m; moreover, for all po > 1, configurations 
{qA^Zo) are reachable for integers p > po, and there exist transitions implying 
that 

(g,FZo) {q',P'Zo) {q,P"Zo) 

for some integers p,p' ,p”. the MBCA A having not any chain of length > m, 
it holds that p” < p, because otherwise there would exist an essential set F A 
Fm U Fl^ and then there would exist a chain of length > m. And the loop 
L'^{q,I,Fm,+ or =) is in fact L~^{q, I, Fm,=) and similarly L“(g',7, F^,+ 
or =) is L~{q',I,F^,=) 

One can informally say that Fm is reachable from F!^ and conversely but 
after such transitions the counter value has decreased hence there is a limitation 
to this reachability. 

Lemma 21. The set of superchains of length u> of a MBCA is effectively com- 
putable. 

Now one can define superchains of length u.p for an integer p > 1. Informally 
speaking a superchain of length uj.p is a sequence l7i, . . . , of superchains of 
length uj such that any state q of an essential set of i7i+i is reachable with 
unbounded values of the counter from any state of an essential set of It is 
now easy to define superchains of length Lv.p + s > 1, (with p, s some integers 
> 0), which are a sequence of a superchain of length s followed by a superchain 
of length (jj.p. 

In the case s > 0, the superchain is said to be positive if it begins with a 
positive chain and it is said to be negative if it begins with a negative chain. 

In the case s = 0, we consider now that a superchain: i?i, . . . , fip, of length 
u!.p, is given with a loop L. Then it is said to be positive (respectively, negative) if 

is formed by two maximal loops L'^iq, I, Fm, =) and L~{q', /, Fm, =) of chains 
of length m(A )= m and configurations (q,PZo) are reachable for unbounded 
values of p > 1 from the positive loop L (respectively, from the negative loop 
L). 

We define now the second invariant of the MBCA A as n{A ) being the 
maximal length of superchains (n(M ) < w^). The MBCA is said to be prime if 
all superchains of length n(A ) have the same sign, i.e. all are positive or all are 
negative. Denote s(M )= 0 if A is not prime, s(M )= 1 if all longest superchains 
are positive, and s(M )= —1 if all longest superchains are negative. 
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Lemma 22. Let A he a MBCA. Then n(A ) and s(A ) are computable. More- 
over the set of superchains of length n(A ) is computable. 

We can now follow Wagner’s study and define for a an ordinal < and m an 
integer > 1: 

= {L{A) / s(.4 )= 1 and m(.4 )= m and n(.4 )=a} 

= {L{A) / s(.4 )= —1 and m(.4 )= m and n(.4 )=a} 

= {L{A) / s(.4 )= 0 and m(.4 )= m and n(.4 )=a} 

Using the Wadge game, one can now show that each class C“ or defines 
a Wadge degree, i.e. all w-languages in the same class or are Wadge 
equivalent. In other words and are the restrictions to the class BC of 
some Wadge degrees. 

Moreover when a = n is an integer, this degree corresponds to the degree 
obtained in the Wagner hierarchy for the classes or D^. 

The classes Cff, D^, and for m an integer > 1 and a a non null ordinal 
< form the coarse structure of the Wadge hierarchy of BC. It is a strict 
extension of the coarse structure of the Wagner hierarchy studied in [Wag79] 
and it satisfies the following Theorem. 

Theorem 23. Let A and B be two MBCA accepting the oj-languages L{A) and 
L{B). Then it holds that: 

1. If m(A) < m(B), then L{A) <w L{B). 

2. If m(A) = m(B), and n(A) < n(B), then L{A) <w L{B). 

3. If m(A) = m(B), n(A) = n(B), s(A) = 1 or s(A) = —1, and s(B) = 0, then 
L{A) <w L(B). 

4 . If m(A) = m(B), n(A) = n(B), s(A) = 1 and s(B) = —1, then L{A) and 
L{B) are non self dual and L{A) =w L{B)~ . 

From this Theorem one can easily infer that the integer m(M), the ordinal n(M), 
and s(M) G {—1,0,1}, are invariants of the w-language L{A) and not only of 
the MBCA A: 

Corollary 24. Let A and B be two MBCA accepting the same u-language 
L{A) = L{B). Then m(A) = m(B), n(A) = n(B), and s(A) = s(B). 

One can give a canonical member in each of the classes C^, D^, and for 
m an integer > 1 and a a non null ordinal < And one can easily deduce 
that the length of the coarse structure of the Wadge hierarchy of blind counter 
w-languages is the ordinal while the length of the coarse structure of the 
Wagner hierarchy was the ordinal 

The coarse structure of the class BC is effective but it is not exactly the 
Wadge hierarchy of BC, because each class is the union of countably many 
(restrictions of) Wadge degrees. We can next define a sort of derivation as Wag- 
ner did for Muller automata. 

Two MBCA A and B in the same class have essentially the same “most 
difficult parts” because they have positive and negative superchains of length 
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n(^) = n(,B). Hence, in the case of Muller automata (then a is an integer), 
Wagner’s idea was to cut off the superchains of length n(M) = n(B) of A and B; 
this way one get some new automata dA and dB which are called the derivations 
of A and B and the comparison of A and B with regard to <w is reduced to the 
comparison of their derivations dA and dB. 

In the case of MBCA one do as in the case of MA but with some modification. 
We first define the derivation dA of a MBCA in E^: A = {K, E, E, S, qo, Zq, T) 
as follows. 

Let dK be the set of states in K from which some positive and some negative 
superchains of length n(M) are reachable. In fact for each such q € dK, it may 
exist an integer such that positive and negative superchains of length n(M) 
are reachable only from configurations {q, KZq) with n > Uq. And these integers 
Uq are effectively computable. Let us define now 



dA = {dK, S,r = {I, Zo}, d6, qo, Zo, dT) 



where d5 is defined by: 

for each q G dK, a G E, Z G E: 

dS{q, a, Z) = 6{q, a, Z) if S{q, a, Z) = {p, 7) for some 7 G A* and p G dK. 
Otherwise d6{q, a, Z) is undefined. 

And dE = {F / F C dK and F G E} 

We consider now the MBCA dA given with the integers Uq, for q G dK. 
Then we study the loops of dA as above but we keep only loops in the form 
L{q, Zq or I, F, +or—) such that state q is reachable with a counter value 
n>nq. We can next define chains and superchains for d' A={dA, {riq)q^gK)- We 
define to.{& A), xi{d'A), and s(5'M), and it holds that m(5'M) < m(M). We then 
attribute a class 

happen that there does not exist any loop for d'A={dA, {nq)q^gK)', in that case 
we associate the class E to & A. Now we can iterate this process and associate 
to the MBCA A a name N{A) which is inductively defined by: 

1. If A is prime and s(M) = I, then N{A) = 

2. If A is prime and s(M) = — 1, then N{A) = 

3. If A is not prime then N{A) = E^^.^N{d'A). 

This name depends only on the w-language L{A) accepted by the MBCA A 
and is effectively computable. We can write it in a similar fashion as in Wagner’s 
study: we associate with each blind counter w-language L(M ) in BC a name 
in the form: 

N(A 1 = E°‘'‘ 

where mi > m 2 > ... > mk > mk+i are integers; each Ui is an ordinal < 
and G {C, D}, or in the form: 



n{A) = eZ---eze 
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which we shall simply denote by 

N{A)=E<^\...E^l 

where mi > m 2 > ... > mk are integers and each ai is an ordinal < . 

One can show that each such name is really the name of an w-language in 
BC. And the Wadge relation <n/ is now computable because of the following 
result. 

Theorem 25. Let A and B be two MBCA accepting the ui-languages L{A) and 
L{B). Assume that the names associated with the MBCA A and B are: 

N(A 1 = 

IV ■ ■ ■ ^mk^^nik+i 



N(B) = E°] 

v ' m. m, m, . 



where (H = E or H = C or H = D), and (H' = E or H' = C or H' = D). 

Then L{A) <w L{B) if there exists an integer j < min{k +!,/+!) such 
that mi = m'i and Ui = n'i for 1 < i < j and one of the two following properties 
holds. 



1. j = k + l<l + l and H' = E or H = H' . 

2. j < min{k+l, / + !) and mj+i < m'_|_]^ or (mj+i = rn'j^-y and Oj+i < Oj+iJ- 

Then the structure of the Wadge hierarchy of w-languages in BC is completely 
determined. One can show that a blind counter w-language L(A), where A is 
a MBCA, is in the class A 2 iff m(A) < 2, i.e. iff the name of A is in the form 
Cl, Df, or El, for a < Thus the Wadge hierarchy restricted to the class 
BCnA 2 has length while the Wadge hierarchy restricted to REGa, O A 2 
has length lo. The Wadge hierarchy of BCOA^ is then a great extension of 
the Wagner hierarchy restricted to the class A°. This phenomenon is still true 
for larger Wadge degrees and non A^-sets. Considering the length of the whole 
hierarchy of BC we get the following: 

Corollary 26. (a) The length of the Wadge hierarchy of blind counter oj- 
languages in A° is uA . 

(b) The length of the Wadge hierarchy of blind counter uj-languages is the or- 
dinal ui‘^ (hence it is equal to the length of the Wagner hierarchy) . 

Once the structures of two MBCA A and B are determined as well as their names 
N{A ) and N{B) are effectively computed, one can construct winning strategies 
in Wadge games W{L{A),L{B)) and W{L{B), L{A)). These strategies may be 
defined by blind counter transducers, and this extends Wagner’s result to blind 
counter automata. 
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5 Concluding Remarks 

This extended abstract is still a very summarized presentation of our results, 
which will need exposition of many other details we could not include in this 
paper [FinOOa]. 

We have considered above deterministic real time blind counter automata, 
which form a subclass of the class of deterministic pushdown automata and of 
the class of deterministic fc-blind counter automata. The Wadge hierarchies of 
w-languages in each of these classes have been determined in a non effective 
way, by other methods, in [Dup99b] [Fin99b] [FinOOb], and these results had 
been announced in the survey [DFROl]. The Wadge degrees in these hierarchies 
may be described with similar names 

N(A 1 = E°‘’‘ 

where mi > m 2 > ... > mk > mk+i are integers > 1 and H € {C, D, E}, and 

1. each ai is an ordinal < in the case of fc-blind counter automata. 

2. each ai is an ordinal < in the case of deterministic pushdown au- 
tomata. 

We will further extend the results of the present paper in both directions to get 
decidability results and effective winning strategies in Wadge games. The above 
case of (one) blind counter automata already introduces some of the fundamental 
ideas which we will apply in further cases. 

Another problem is to study the complexity of the problem: “determine the 
Wadge degree of a blind counter w-language” , extending this way the results of 
Wilke and Yoo to blind counter w-languages. 

Further study would be the investigation of links between the problems of 
simulation and bisimulation [JanOO] [JKMOO] [JMS99] [KucOO] and the problem 
of finding winning strategies in Wadge games. 

A Wadge game between two blind counter w-languages, whose complements 
are also blind counter w-languages, can easily be reduced to a Gale-stewart 
game, (see [Tho95] [PP98]), with a winning set accepted by a deterministic 
2-blind-counter automaton. This suggests that Walukiewicz’s result, the proof 
of the existence of effective winning strategies in a Gale-stewart game with a 
winning set accepted by a deterministic pushdown automaton, [Wal96], could 
be extended to the case of a winning set accepted by a deterministic multi blind 
counter automata, giving additional results as asked by Thomas in [Tho95]. 
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Abstract. We define an extension of the weak monadic second-order 
logic of one successor (WSIS) with an infinite family of relations and 
show its decidability. Analogously to the decision procedure for WSIS, 
automata are used. But instead of using word automata, we use tree 
automata that accept or reject words. In particular, we encode a word 
in a complete leaf labeled tree and restrict the acceptance condition for 
tree automata to trees that encode words. As applications, we show how 
this extension can be applied to reason automatically about parameter- 
ized families of combinational tree-structured circuits and used to solve 
certain decision problems. 

Keywords: tree automata, word languages, weak monadic second-order 
logic of one successor, WSIS 



1 Introduction 

The tight relation between automata and logics has been used to show the de- 
cidability of several decision problems for monadic second-order logics. For in- 
stance, the decidability of the weak monadic second-order logic of one successor, 
WSIS, was shown using word automata [5,11,24], and the decidability of the 
weak monadic second-order logic of two successors, WS2S, was shown using tree 
automata [22,8]. Although the theory of WSIS is non-element ary decidable [20], 
the Mona system [16,9] - decision procedures for WSIS and WS2S - has proved 
useful and efficient in practice, e.g. [3,1,10]. 

The decidability result presented here, exploits - analogously to the decision 
procedures for WSIS and WS2S - the relation between automata and monadic 
second-order logics. But instead of using word automata that read words and 
tree automata that read trees, we use tree automata to describe word languages. 
In particular, we encode a word in a complete leaf labeled tree and restrict the 
acceptance condition of tree automata to this subset of trees. The set of word 
languages that can be described by tree automata is a proper superset of the 
regular word languages and has useful properties, e.g., it is effectively closed 
under the Boolean operations and the emptiness problem is decidable. We show 
that, as a result, there is a decidable extension of WSIS with an infinite family 
of relations. 



L. Fribourg (Ed.): CSL 2001, LNCS 2142, pp. 384-398, 2001. 
© Springer- Verlag Berlin Heidelberg 2001 




Decision Procedure for an Extension of WSIS 



385 



We present two applications of this extension. First, we show how the ex- 
tension can be used to reason automatically about parameterized families of 
combinational tree-structured circuits. Second, we show how results that where 
previously established using other techniques, naturally fall out of our formalism. 

For example, the subset P of the natural numbers that are a power of two, 
is a predicate that is included in the family of relations. The decidability of the 
theory of the weak monadic second-order logic over the structure (N, succ, P) was 
already shown by Elgot and Rabin in [12]. They construct an w-word automaton 
A, for a sentence Lp of the monadic second-order logic over of (N, succ,P), treat- 
ing the predicate symbol P as a free second-order variable. They show that it is 
decidable if A accepts the characteristic w-word xv (the ith letter of xp is 1 iff 
i G P).^ The decidability of the theory of the weak monadic over the structure 
(N, succ, P) follows immediately from the fact that finiteness of a subset of natu- 
ral numbers can be expressed in the monadic second-order logic of one successor, 
SIS. This decision procedure only holds for closed formulas and is based on the 
decidability of SIS, i.e., it uses w-word automata. 

Using tree automata to decide the theory of the weak monadic second-order 
logic of (N, succ,P) has advantages in implementing a decision procedure. First, 
we avoid the algorithmically difficult constructions of w-word automata, like 
complementing Biichi word automata. Second, tree automata can be efficiently 
minimized (the author is unaware of any implementation that minimizes lo- 
automata efficiently in general). Third, we can use an existing implementation 
of tree automata, such as in the Mona system [4]. Further, we can implement a 
decision procedure that returns a counter-example and a fulfilling substitution 
for the free variables of a formula. 

We proceed as follows. In §2 we provide background material. In §3 we define 
how tree automata can be used to describe word languages and prove properties 
about the set of word languages characterized by tree automata. In §4 we show 
the decidability of our extension of WSIS. We also apply the extension to reason 
about parameterized families of combinational tree-structured circuits. Finally, 
in §5 we discuss future work. 



2 Background 

2.1 Words and Trees 

S* is the set of all words over the alphabet S. We write A for the empty word. 
For u,v G S*, the concatenation of u and v is written as uv, and |m| denotes u's 
length. Let B be the alphabet {0, 1}. 

A (full binary) S -labeled tree is a function t where the range of t is A7 and 
the domain of t, dom(t), is a finite nonempty subset of B* where (i) dom(t) is 
prefix-closed, and (ii) uO G dom(t) iff ul G dom(t). The elements of dom(t) are 
called nodes, and A G dom(t) is called the root. The node ub G dom(t), with 

^ More recently, in [6] it was shown that for any morphia predicate P C N the problem 
if an tc-word automaton accepts the tc-word xp is decidable. 
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6 € B, is a successor of u. A node is an inner node if it has successors and is a 
leaf otherwise. A node u G dom(t) is F -labeled, for A C A, if t{u) G F. 

The height of t is |t| = max{|M| | u G dom(t)}. The subtree of t with the root 
u G dom(t) is denoted by tu', it is dom(t„) = {v\uv € dom(t)} and = t{uv). 
The frontier of t is the word in A* where the tth letter is the label of the ith 
leaf in t (from the left). A tree is complete if all its leaves have the same length. 

2.2 Word and Tree Automata 

We briefly recall the definitions of nondeterministic word and tree automata. 

A (nondeterministic) word automaton A is a tuple (A, Q, Qq, F, 5), where A 
is a nonempty finite alphabet, Q is a nonempty finite set of states, Qo C Q is 
a set of initial states, A C Q is a set of final states, and 6 : Q x E ^ is 
a transition function. A run of A on a word w = a\ ... an & E* is a nonempty 
word 7T = Si . . . s„+i G Q* with si G Qo and Sj+i G S(si, at) for 1 < t < n. tt is 
accepting if s„+i € F. A accepts w if there is an accepting run of A on w; the 
accepted language of A, L{A), is the set of words over A that A accepts. 

A (nondeterministic binary top-down) tree automaton is defined analogously: 
A is a tuple (A, Q, Qq, F, S), where A, Q, Qo, and F are as above. The transition 
function is S : QxE ^ 1P{Q xQ). A run of A on a A-labeled tree t is a Q-labeled 
tree tt, where dom(7r) = {A}U{m6 | u G dom(t) and b G B}. Moreover, 7 t(A) G Qo 
and for u G dom(t), (7 t(u0), 7t(m1)) G S{Tr{u),t{u)). The run tt is accepting if 
7 t(m) G F for any leaf u G dom(7r). A accepts t if there is an accepting run of A 
on t; A accepts t from q € Q if (A, Q, {g}, F, 6) accepts t. The accepted language 
of A is the set of A-labeled trees that A accepts. 

Word automata and tree automata recognize the regular word and tree lan- 
guages, and are effectively closed under intersection, union, complement and 
projection. For a detailed account of regular word and tree languages see [17] 
and [13,7], respectively. 

3 Tree Automata over Words 

A natural way to define an acceptance condition for a tree automaton A for words 
is the following: A accepts the word w if there is a tree t with frontier w and A 
accepts t. It is known that the set of word languages that are described in this way 
are exactly the context-free languages (see [13]). The context-free languages are 
not closed under intersection and complement. In the following, we characterize 
a set of word languages which is effectively closed under the Boolean operations, 
contains the regular word languages, and for which the emptiness problem is 
decidable. For doing so, we restrict the input of tree automata to complete leaf 
labeled trees. 

Let A be a nonempty finite alphabet, and for the remainder of the text 
let □ and # be two new symbols, i.e. □,# ^ A. We use the notation An for 
A U {□}, for A U {#}, and for A U A E-leaf labeled tree t 

is a A^-labeled tree where all inner nodes are labeled with and all leaves 
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are i7-labeled. The complete T'o-leaf labeled tree t where the frontier is 
(for some /c > 0) is an input tree of the word w € S*. t is minimal if fc = 
min{m | |tu| + m is a power of 2}. Note that the minimal input tree of a word in 
S* is unique. 



3.1 Acceptance Conditions 

We define two different conditions for tree automata for accepting words. We 
will show in Lemma 3 that both are related, i.e., describe the same set of word 
languages. We will switch between the two acceptance conditions, for proving 
properties (e.g. Lemma 6 and Theorem 9) about this set of word languages. 

Definition 1. Let A= {Su,i)^,QTQoT F,S) he a tree automaton. 

i) A star-accepts the word w € S* if A accepts an input tree of w. TT*(A) C 
E* denotes the set of words that A star-accepts. 

ii) A minimal-accepts the word w € E* if A accepts the minimal input tree of 
w. W{A) C E* denotes the set of words that A minimal-accepts. 



Example 2. Let A be the tree automaton (Bq {qi, qq, qok}t \9i}) {dok}, S) with 



%i,O) = 0 

1 ) “ {{dokj Qok)} 

%i,n) = 0 

Kdi,#) = {(9o,<?i)} 



^( 9 o, 0 ) = {{qok.dok)} 

S{qo, 1) = 0 
%o,n) = 0 

<5(go,#) = {(<70, 9o)} 



and 6{qok, a) = 0, for a G Bq_^. A minimal-accepts w &M* iff ic = 0 ... 01 and 
|w| is a power of 2. Note that in this example, W{A) = IT* (A). 

The two different acceptance conditions are related as follows: 

Lemma 3. Let A = (Ea,.//., Q, Qo, E, S) he a tree automaton. 

a) We can construct a tree automaton B with W{A) = 1T*(,B). 
h) We can construct a tree automaton C with IT* (A) = W{C). 

Proof (sketch), a) We construct B such that it accepts the intersection of the set 
of trees that A accepts and the set of trees, where the right subtree of the root 
contains a leaf that is not labeled with □ . 

The set of states of the tree automaton B is QU{q\q G Q}U {po} where po is 
new, {po} is the set of initial states and the set of final states is FU{q\q G F}. 
To define the transition function p of B, let q G Q and a G Eu,#. Then p is 



p{q,a) = S{q,a) , 

'{(?L> to) I {dL,qR) G <5(g,a)}u 

{(to, to) I {dL,qR) G <f(g,a)} 



p{q,a) = 



A{q, a) 



if a = #, 
if a = □, 
otherwise. 
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and 



/ GUgeQo'^(9,#)} ifa = #, 

lUgeQo otherwise. 

A simple induction over the height of an input tree t shows that if a node u in 
an accepting run tt of on t is labeled with a state q, then there exists a leaf in 
the subtree that is A-labeled. From the definition of S(po,a) it follows that if 
B accepts an input tree then there is a A-labeled leaf in the right subtree of the 
root. Thus, t is minimal. From the definition of p it follows that W{A) = 

b) The idea of the construction of C is that C guesses the state from which 
to minimal-accept the tree that A accepts, while taking care that this state is 
reachable from the initial state such that only Ds are generated to the right of 
the word. 

The set of states of the tree automaton C is P = Q U {(q,T) j q € Q and T C 
Q} and the set of final states is E = F U {{q,T) \ q G F and T C F}. The 
transition function p of is as follows: p restricted to Q x Su,# is identical to 
5, and 



p{{q,T),#) = {{q',{q",T')) \ {q',q") G S{q,#) and for every t G T, 

6{t,#)nT' XT' ^9}, 

and for a G Fa 

P{{q^ T), a) = {(g', (g", T')) \ (g', g") G S{q, a) and for every t G T, 

S{t, □) n T' X TV 0} • 

We say that C reaches the state (g,T) in /i > 0 steps if there exists a 
run 7T of A on the complete {#}-labeled tree t of height h with 7 t(A) G Qo> 
7t( 0^) = g, and {-k{u) | 1^1 = /i and u yf 0^} = T. The set of initial states is 
-Pq = {{QjT) \ C reaches (g, T) in > 0 steps}. A pigeon-hole argument proves 
that C reaches (g, T) in /i > 0 steps iff C reaches (g,T) in less than |Q|2l‘3l -g l 
steps. Thus, To is computable. 

It can be shown by induction over the height of an input tree that IF* (A) = 
IF(C). We omit it. □ 



3.2 Relation to Regular Languages 

A word language L C A* is tree-accepted if T = IF (A) for some tree automaton 

A. 

Theorem 4. The set of regular word languages is a proper subset of the set of 
word languages that are tree- accepted. 

Proof (sketch). The language in Example 2 is not regular (it is even not context- 
free). It remains to show that for every word automaton A = {E,Q,Qo, F,S) 
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there exists a tree automaton B with the alphabet that tree-accepts the 

word language of A. 

The set of states of is P = (Q x Q) U {qok}, the set of initial states is 
^0 = {{q, q')\q & Qo and q' G F}, the set of final states is F = {qok}, and the 
transition function p is as follows: p{qok,a) = 0, for a € and 

({{{q,p),{p,q'))\p&Q} = 

,, , \ {{qok, qok)} if a e S and q' e S{q, a), 

p{{q,q),a)=< ^ , 

U'7ofc, qok)} if a = □ and q = q , 

[0 otherwise. 

Intuitively, B guesses with a state in Fq the initial and the final state of an 
accepting run of xl on w G S*. From level to level of the minimal input tree of 
w, B guesses the missing states of the run of A. Finally, B checks at the leaves 
of the minimal input tree if the guesses really correspond to a run of xl on ru. □ 



3.3 Closure Properties 

The projection of F C E* w.r.t. the equivalence relation ~ C F x F is the set 
L/^ = {oi . . . a„ G F* I it exists 6i . . . G F with ~ bi for all 1 < f < n}. We 
can use the standard constructions for tree automata to show the closure under 
the Boolean operations. The correctness of the construction for complementation 
follows from the fact that the minimal input tree of a word is unique. 

Theorem 5. The set of tree-accepted word languages is effectively closed under 
complement, union, and projection. 

Closure under complement and union is used in §4 to handle the connec- 
tives -■ and V in the weak monadic second-order logic. To handle the existen- 
tial quantification over finite subsets of N, we need - additionally to the clo- 
sure under projection - the notion of a right quotient and the closure property 
stated in the next lemma. The right quotient of F C F* w.r.t. L' C F* is 
F/F' = {w G F* I there exists a w' G L' with ww' G F}. 

Lemma 6. Let A = {Eu,#, Q, Qq, F, 6) he a tree automaton and let T C E. We 
can construct a tree automaton B with W{B) = W{A)/r* . 

Proof (sketch). By Lemma 3b) it is sufficient to construct a tree automaton B 
with IF* (B) = W (x4) /F* . We first give the intuition how B simulates runs of A. 
Let t be the minimal input tree of the word ww' with w G E* and w' G P* . B 
guesses the input tree t' of w with |t| = \t'\. Note that dom(t) = dom(f') and 
that t{u) = t'{u) = for all inner nodes u. B makes on an inner node u the 
same transitions as on w. Additionally, B guesses if the subtree is a {Dj-leaf 
labeled tree. For a leaf u with t'{u) = U, B guesses the labeling t{u). 

Let B = {Eu,#, P, Qq, E, p) with P = QU {q\q G Q}, E = FU {q\q G F}, 
and for a G Eu,=if. and q G Q, let 
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fU6er^(9>^) ifa=D, 

. ^^1 Hq, #) U Qr) I {ql, Qr) G S{q, #)} U 

I {{qL,QR)\{<lL,qR)&S{q,m if a = #, 

l^i5(g,a) otherwise, 



and 



p{q,a) 



0 if a G if, 

{{qL,qR)\{qL,qR) &S{q,a)} otherwise. 



W{A)/r* C Assume that ww' G W{A) with w' G F* . We have to 

show that B star-accepts w. Let t be the minimal input tree of ww', and let t' 
be the input tree of w with \t'\ = |t|. B makes the same transitions on t' as A 
on t with the difference that if all the leaves of the subtree for u G dom(t) are 
labeled with □, then B guesses the state q instead of q € Q. 

Wt.{B) C W{A)/r*\ Assume that B star-accepts w G S*. We have to show 
that there is a w' G F* such that A minimal-accepts ww'. Let t be an input tree 
of w and u a node of t labeled with □. Note that B can only guess in u a letter 
in F, if it is in a state q G Q. But by definition of <i(g, #), B must also guess a 
letter in F for the nodes u' that are labeled with □ and are left of u. Thus, there 
exists a, w' G F* with ww' G W{A). □ 



3.4 Emptiness Problem 



The emptiness problem (for tree automata over words) is to decide if a tree 
automaton minimal-accepts some word. We give an algorithm that runs in linear 
space in the size of the given tree automaton deciding if it star-accepts some 
word. The emptiness problem can then be decided with Lemma 3a). 

For the remainder of this section, let A = {Su,if=,Q,Qo,F,5) be a tree au- 
tomaton. To determine if 1F,(A) = 0, we define the sets — Q 

h>0. Intuitively, q G P^ iS A accepts from q a complete A-leaf labeled tree of 
height h, q G Pa iS A accepts from q a complete {Dj-leaf labeled tree of height 
h, and q G P^a i® accepts from q an input tree of height h. Formally, 



r>h 

iDh 
^ □ 



{(? G Q I 5{q, a) n F X F 0 with a G S} if h = 0, 

{<; G Q I 5{q, #) fl P^~^ x P’fF^ ^ 0} otherwise, 

{qG Q \ 5{q, □) n F x F 0} if /i = 0, 

{qG Q \ 5{q, #) n Fq“^ X Fq“^ y^ 0} otherwise. 



and 



-ph 

^ EU — 



po U F° iih = 0, 

P^ U {<7 G Q I 6{q, #) n P^a^ x Fq“^ y^ 0} otherwise. 




Decision Procedure for an Extension of WSIS 



391 



The following lemma can be proven by induction over the height of an input 
tree. 

Lemma 7. Let q he a state of A. Then 

A accepts some input tree t of height h from q iff q G P%u ■ 

Lemma 8. For q G Q and h > 0 with q G P^u there exists an h' with h' < 

|Q|22|QI andqGP^a- 

Proof (sketch). Assume that h > 1(512^1*^1 and h is minimal, i.e., for all h' < h, 
q ^ P^a- By Lemma 7, there is an input tree t such that \t\ = h and A accepts t 
from q. We show by an application of the pigeon hole argument that A accepts an 
input tree t' from q with |t'| < 1(512^1*51^ By Lemma 7, q G This contradicts 
the assumption that h is minimal. 

Let 7T be an accepting run on t. Note that tt is a complete (5-labeled tree with 
\tt\ = |t| + 1 and each leaf of tt is F-labeled. We extend tt to subsets of nodes, i.e., 
for U C dom(7r), ti{U) = {7t('u) | u G U}. The nodes in a level 0 < fc < |f| of tt 
can be partitioned into a triple (C/fc, Wk,Vk) such that Tr{Uk) C P|i, n{wk) G P^^ 
and 7r(Vfc) C P(). This can be shown by induction over k. 

Since there are 21*51 many subsets of Q, there are m,n < |(5|2^I*5I with m < n 
such that 

T^{Um) = 7t(C/„) , TT{Wjn) = T^{Wn) , and TT{Vra) = 7t(K) • 

Note that for each node u G Um there is a node u' G C/„ with 7r(u) = and 

similarly for each node u G Vm- We can construct an accepting run tt* for an 
input tree t' with |t'| < |f|: Each subtree 7r„ for u G Um can be replaced by a 
subtree tTu' with u' G C/„ and 7r(u) = Tr(u'), the subtree tt^,^ can be replaced by 
the subtree and each subtree tt^ for u G Vm can be replaced by a subtree 
7T„/ with u' G Vn and tt{u) = tt{u'). □ 

The correctness of the algorithm in Figure 1 follows from the two lemmas 
above. The algorithm runs in (9(|(5|) space. 

Theorem 9. The emptiness problem for tree automata over words is PSPACE- 
complete. 

Proof. The emptiness problem is in PSPACE since the construction in Lemma 3a) 
can be done in polynomial time and the algorithm in Figure 1 runs in polynomial 
space. 

We show the hardness by reducing the reachability problem for 2-set systems'^ 
to the emptiness problem. In [21] it was shown that the reachability problem for 
2-set systems is PSPACE-hard. 

^ A set system over a finite set S is a functional relation — >G CP(S') x 1P(5'). We 
write X — >■ Y, for (X,Y) G — >. A C S' is the successor oi M G S, M => N, 

if A = >-yxcm'^- denotes the reflexive, transitive closure of =>. The 

functional relation — > is a 2-set system if |A| = 2 and 1 < |y| < 2 for each X — > Y. 
The reachability problems for 2-set systems is to decide if for a 2-set system — > over 
S and So, Si C S, there exists a set S' C S such that So =^* S' and S' n Si / 0. 
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Input: tree automaton A = {En,#, Q, Qo,F, S) 
Output: returns true iff Wt{A) 7 ^ 0 

h := 0 ; 

Ps~{q(iQ\ 5{q, a) n F X F / 0 for a e r}; 
Pa:={qeQ\ S{q, □) O F X F / 0}; 

Psa ~ Ps U Pn', 

while h < 1(512^^*^! and Qo H Psn = 0 do begin 
h h 1 5 

PE~{q€Q\ 5{q, #)nPsXPs^ 0}; 

Psn := Ps U {g G Q I S{q, #) O Pua X Fn / 0}; 
Pn:={qeQ\ S{q, #) D Pa X Pa ^ 0}; 

end; 

it h < |Q| 2 ^I‘^I then return true else return false; 



Fig. 1. Algorithm for deciding if a tree automaton star-accepts some word. 



For a 2-set system — >• over S and S'o, S'! C S, let A = ({0, □, #}, S, Si,Sq, S) 
with 

f{(a;i,a; 2 ) I {a:i,X 2 } — ;> F G F and j/ € 1"} if a 7 ^ □, 
d[y, a) = < ^ 

0 otherwise. 

We show that A minimal-accepts some word iff there is an S' with Sq =>* S' 
and S'nSi^ 0 . 

(=i>) Let 7 T be an accepting run on the minimal input tree of some word in 
{0}*. For 0 < k < | 7 t|, let Tk = { 7 t(m) | |u| = k}, and let 

Mo = 5*0 and M^+i = |J Y , 

X — ¥Y,X<ZMk 

for 0 < k < \tt\. By the definition of the successor, We show by 

induction over k that T],r|-fc ^ Mk, for all 0 < A: < |7t|. The base case for k = 0 
follows from the fact that Tj,r| C S'o since tt is accepting. The step case for A: > 0 
follows directly from the definition of S. Thus, n Si yf 0 since Tq fl Si yf 0. 

(<^=) Let Mq, ■ ■ ■ , Mh C S be a solution for the reachability problem, i.e., 
Mq = So, Mfc Mfc_|_i, for 0 < A: < Ai, and H Si yf 0. It is straightforward 
to construct an accepting run of A on the minimal input tree of the word 0 ^ . □ 



4 Decidable Extension of WSIS 

In this section, we define an extension of WSIS with an infinite family of relations 
and show its decidability. A relation in this family is defined by a tree automaton 
with an alphabet of the form ^ for r > 0. Hence, we assume in the following 
that a tree automaton has an alphabet of this form. 
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We encode a tuple of finite subsets of N in words. Let A denote the set of all 
finite subsets of N. A word bi . . . b„ G TB* represents X G A\in> max({0} U A) 
and = 1 iff /c G A, for all 1 < /c < n. Let w G (B’’)* where the zth letter of w has 
the form (6^, . . . , 6* ) G B'’. The word w represents the tuple (Ai, . . . , A^) G A'' 
if each word • b^^^ G B* represents Xj, for 1 < j < r. 

Let {Rjx)a t.a. stand for the infinite family of relations, where each Ra C A^ 
in this family for the tree automata A (with alphabet B((, is the relation 
defined by 

(Ai, . . . , Xr) G Ra iff A minimal-accepts a word that 

represents (Ai, . . . , A^) . 

The next lemma shows the closure under cylindrification. The construction is 
technical but straightforward, we omit it. 

Lemma 10. For a tree automaton A with alphabet B((, ^ and r' > 0 we can 
construct a tree automaton A' with alphabet such that 

{X,,...,Xr)GRA iff (Ai,...,A„Fi,...,W0 G ^.4' 
for Ai,...,A„ri,...,r,. G A. 

We show that the weak monadic second-order logic over the structure 01 = 
(N, succ, t.a)) WSIS'^ for short, is decidable. Analogously to the idea in 

[5,11,24] we use automata to prove decidability of WS1S+: Roughly speaking, 
we construct recursively for each sub-formula of a formula, a tree automaton 
that minimal-accepts the representatives of the satisfying interpretations. 

We briefly sketch syntax and semantic of WSIS"*". A formula is built from the 
atomic formulas as in WSIS, namely^ x = y, X{x), succ(a;,z/), and additionally, 
we have for each tree automaton A with alphabet B]) ^ the atomic formula 
Ra{Xi, . . . ,Xr). Further, we have the connectives -■ and V, and the existential 
quantifier 3 for first-order and monadic second-order variables.^ 

A (weak) interpretation I of cp is a, function mapping first-order variables 
occurring in ip to elements of N and second-order variables occurring in p to 
finite subsets of N. The truth value of in 01 w.r.t. /, 01, / |= p, is defined as 
usual. Note that the existential quantifier for second-order variables only ranges 
over finite subsets of N. If p contains no free variables, i.e., is a sentence, we 
write 01 ^ The theory of WSIS^ is the set {p sentence | 01 \= p}. 

A formula p with the variables xi, . . . ,Xr and Ai , . . . , Xg defines the word 
language 

L{p) = {ru G (B’’"'"®)* I there is an interpretation / with fft,I\=p and 

w represents {{I{xi)}, . . . ,{I{xr)}, I{Xi), . . .,I{Xs))} ■ 



® Lower case letters, like x,y, . . . , denote first-order variables and npper case letters, 
like X,Y, . . . , denote second-order variables. 

We also use the connectives A, — >■ and -fA, and the universal quantifiers for first- 
order and second-order variables. We use the standard conventions for omitting 
parenthesis. 
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Lemma 11. For a formula ip, L{ip) is a tree-accepted word language. Moreover, 
we can construct a tree automaton A such that W (.4) = L{lp) . 

Proof (sketch). We use a restricted logical system, which we call MSOo-logic 
(see e.g. [19,23]). It has a simpler syntax, in which the first-order variables are 
canceled. Elements of N are simulated by singletons and quantification over 
elements is simulated by quantification over singletons. Formulas in MSOo-logic 
are constructed from the atomic formulas R_a.{Ai, . . . , Xr) where M is a tree 
automaton with alphabet Formulas in MSOo-logic are interpreted over 

the structure (N, {Ra)a t.a.)- 

The translation of atomic formulas of WS1S+ to formulas in MSOo-logic 
is defined as 

^X = y~^ = RAsingleix) A RAsingleiy) ^ , V) A (j/, x) 

^X{xr = RA,,„,,M^RAciX) 

^succ{x,yp = RAsinglAx) A RAsingleiy) A RAsnccix,y) 

where x, y denote new second-order variables for the first-order variables x and 
y, respectively. Msingie is the tree-automaton that minimal-accepts the words 
0 ... 01, Ac tree-accepts the word language (B^ \ {(1, 0)})* and Msucc minimal- 
accepts a word &i . . . 6„ with bi = {bl,bf) iff b), = 0, and bj_^ = 1 iff = 1, for 
0 < z < n. Since these languages are regular, the tree automata Msingiei-4c, and 
.dsucc exist by Theorem 4. The definition of for the step cases is straightfor- 
ward. It can be easily checked that L(p) = L{'~(p~'). 

Let be a formula in MSOo-logic, where Xi, . . . , Xg are the variables occur- 
ring in ip. We construct for each sub-formula ip of p a, tree automaton with 
the alphabet B^ ^ such that for all interpretations I of p 

(N, {Ra)a t.a), I \= f’ iff Atjj minimal-accepts a word that 

represents (/(Xi), . . . , . 

We omit the details, as they are analogue to the details of the proof of decidability 
of WSIS in [19]. 

The base case for ip = Ra{Xi, . . . , X,.) follows from Lemma 6. Note that we 
can assume that all variables Xi, . . . ,X^ are pairwise distinct, and by Lemma 
10 that r = s. The step cases ip = ->x and ip = Xi'^ X 2 follow from Theorem 5. 
The step case ip = 3X x follows from Lemma 6 and Theorem 5. □ 



Corollary 12. The theory of WSIS^ is decidable. 

Proof. Let p he a sentence. By Lemma 11, we can construct a tree automaton 
A such that W{A) = L{p). p is false in 91 iff L{p) = 0, which can be checked 
by exploiting Theorem 9. □ 
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Fig. 2. Example of a parameterized combinational tree-structured circuit. 





XV XV 



4.1 Applications 

The first application shows that the predicate of natural numbers that are a 
power of 2 can be defined in WSIS’*'. Let A be the tree automaton of Example 
2. P(x) stands for the formula 3X3x' (A(x') Asucc(a;', x) A i?^(A)). P(x) is true 
iff X is interpreted with a power of 2. The decidability of the weak monadic 
theory over (N, succ, P) with P = {c" | n G N}, for some c > 2, can be shown by 
using tree automata over trees over full cary trees instead of using tree automata 
over full binary trees. 

We introduce more syntactic sugar. P(succ(x)) is an abbreviation for the for- 
mula Bz (succ(x, z)AP(x)). The formula VZ (Z(y)AVz (3z' (succ(z, z')AZ(z')) -A 
Z(z)) -A Z(x)) is true iff the interpretation of x is less than or equal to the in- 
terpretation of y; we write x < y. 

The second application illustrates how WS1S+ can be used to reason about 
parameterized combinational tree-structured circuits. For doing so, we use the 
(toy) family of circuits C„, n > 0, depicted in Figure 2. We verify that the circuit 
Cn outputs 1 iff the input propagates a bit, i.e., for all 0 < i < 2” either input 
pin Xi or input pin yi has value 1. 

An input of the circuit (7„ can be encoded by three finite subsets of N, namely 
X, Y, Z where i G X iS the input pin Xi has value 1, i G F iff the input pin yi 
has value 1, and Z = {0, ... ,2" — 1}, i.e., Z determines the size of the circuit. 
More formally, 

input{X, Y, Z) = 3m (Vu (X{u) V Y{u) V Z{u) ^ u < m) A 
\/u {u < m ^ Z(u)) A P(succ(m))) . 

The output value of the circuit Cn for any n > 0, can be described by the tree 
automaton A = {q^ <Zofe}, {<z}, {<Zok}, <5) where the step case of the recursive 

defined circuit family is reflected in the transition 5{q,4f) = {{q,q)}- This can 
be intuitively read as “circuit Cn outputs 1 iff the left circuit Cn-i and the right 
circuit Cn-i outputs 1”. The base case is reflected in the transitions 
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S{q, {b,b', 1)) 



{{qok,qok)} b=lorb' = l, 
0 otherwise. 



This can be intuitively read as “circuit Cq outputs 1 iff either input pin xq or 
input pin j/o has value 1”. For all other letters in the transitions of S are 

arbitrary. 

The property that any circuit Cn outputs 1 iff the input propagates a bit, 
can be expressed by the sentence 

VXVrVZ {input{X, Y, Z) {Ra{X, Y, Z) o Vx {Z{x) X(x) V Y(x)))) . 

With the above described decision procedure for WSIS'*', we can check if this 
sentence holds in the structure ffl. 



5 Future Work 

We have shown how to encode words as complete leaf labeled trees and restricted 
tree automata to operate on such encodings. This leads to a characterization of 
a set of word languages, including the regular languages, that has the needed 
properties to define a decidable extension of WSIS. As applications, we have 
shown how this extension can be used to solve certain decision problems and 
how it can be applied to reason automatically about parameterized families of 
combinational tree-structured circuits. 

In [15,14,2,18] exponentially inductive functions (EIFs) were used to describe 
parameterized families of combinational tree-structured circuits. It is possible to 
represent EIFs in WSIS’*' since in [2,18] it was shown that they are equivalent 
to alternating tree automata restricted on complete leaf labeled trees. 

In [3,1] WSIS and WS2S were used to reason about serial and tree-structured 
parameterized circuits. Since the network topology of a tree-structured circuit is 
normally a complete tree where the leaves are the inputs of the circuit, WSIS^ 
appears to be more natural than WS2S for modeling tree-structured circuits. 
Confirming this however, requires larger case studies. 

Moreover, it seems that WS1S+ cannot be embedded in WS2S. This conjec- 
ture is based on the following observation. Since the set of all complete trees is 
not a regular tree language, it is unlikely that the weak monadic second-order 
logic over (N, succ,P) can be translated to WS2S. A rigorous comparison of 
WS2S and WSIS’*', and a more “natural” definition of the family of relations of 
WSIS"*" remains as future work. This includes a more complete investigation of 
the set of tree-accepted languages. 

Implementing a decision procedure for WSIS"*" is also future work. To this 
end, we plan to use the existing implementation of tree automata in the Mona 
system [4]. 
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Abstract. We will construct from every partial combinatory algebra 
(PCA, for short) A a PCA a-lim(A) s.t. (1) every representable numeric 
function +(n) of a-lim(A) is exactly of the form with ^{t,n) 

being a representable numeric function of A, and (2) A can be embed- 
ded into a-lim(A) which has a synchronous application operator. Here, 
a-lim(A) is A equipped with a limit structure in the sense that each 
element of a-lim(A) is the limit of a countable sequence of A-elements. 
We will discuss limit structures for A in terms of Barendregt’s range 
property. Moreover, we will repeat the construction lim(— ) transfinite 
times to interpret infinitary A-calculi. Finally, we will interpret affine 
type-free A/r-calculus by introducing another partial applicative structure 
which has an asynchronous application operator and allows a parallel 
limit operation, keywords: partial combinatory algebra, limiting recursive 
functions, realizability interpretation, discontinuity, infinitary lambda- 
calculi, A/i-calculus. In the interpretation, /i-variables(=continuations) 
are interpreted as streams of A-terms. 



1 Introduction 

Partial combinatory algebras (PCA, for short) are partial applicative structures 
axiomatized by the same axioms as combinatory algebras, except that the appli- 
cation operators can be partial operators. The PCAs are important in connection 
with the realizability interpretations of intuitionistic logics. The realizability in- 
terpretations extract the computational content from intuitionistic logic’s proofs 
as programs. Using PCAs to carry out the realizability interpretations, we can 
obtain ‘realizability’ models of typed term calculi and constructive set theories 
in which we can do mathematics. 

Recently, a new realizability interpretation was introduced by Nakata and 
Hayashi [9] to extract the computational content of semi-classical logic’s proofs 
as approximation algorithms. 

They first noticed that Gold’s limiting recursive functions [5], which was 
originally introduced to formulate the learning processes of machines, is useful 

* The author acknowledges Susumu Hayashi, Mariko Yasugi, Stefano Berardi, and 
Ken-etsu Fujita. The comment by anonymous referees was useful to partly improve 
the presentation. 



L. Fribourg (Ed.): CSL 2001, LNCS 2142, pp. 399-414, 2001. 
© Springer- Verlag Berlin Heidelberg 2001 




400 Yohji Akama 



for what they call animation of proofs [7]. Gold’s limiting recursive function is 
of the form f{x) s.t. 

f{x)=y 4=^ 3toWt > to.g{t,x) = y 4=^ limg{t,x) = y, 

where g(t, x) is called a guessing function, and t is a limit variable. Then, they 
proved that some limiting recursive functions approximate a realizer of a semi- 
classical principle -<-<3y\/x. g{x,y) = 0 — >■ 3y\/x. g{x,y) = 0. Also, they showed 
that the semi-classical principle is sufficient for usual mathematics and for soft- 
ware synthesis ( [6]). 

In this way, Nakata and Hayashi opened up the possibility that limiting 
operations provide realizability interpretation of semi-classical logical systems. 

They formulated the set of the limiting recursive functions as a Basic Re- 
cursive Function Theory (brft, for short. Wagner [17] and Strong [14]). Then 
Nakata and Hayashi carried out their realizability interpretation using the brft. 

If we can formulate the set of limiting algorithms as a PCA C, then by carrying 
out Nakata and Hayashi’s realizability interpretation using C, we may be able 
to construct ‘realizability’ models of 

1. semi-classical typed term calculi. For example, typed Parigot’s A^-calculus, 
typed term calculi with control operators. 

2. semi-classical constructive set theory. 

Motivated by the above, we will introduce a construction from a given PCA 
A another PCA a-lim(M). Our idea is (1) limit variable t is the clock of the pro- 
cessing element(MPU). (2) guessing function g{t,x) is a generator of a stream 
(g(0, x), g(l, x), . . .). (3) limiting recursive function lim^ g{t, x) is the stream mod- 
ulo a symmetric, transitive relation Here, two streams are related with ~ if 
for all natural number t except finite numbers, the two t-th elements of the two 
streams have the same value. 

In a-lim(M), every allowed limit is exactly of the form limj at s.t. the infinite 
sequence ( G A )* is (1) indexed by N; and (2) generated inside the PCA A. 
We will call this lim* at an autonomous limit. Owing to the above (1,2), we will 
be able to prove that every representable partial function of a-lim(M) is exactly 
a limiting recursive function guessed by some representable partial functions of 
A (see Section 3). 

Based on this result, we have only to take C as a-lim(N), in order to find 
realizability models of both semi-classical typed term calculi and a semi-classical 
constructive set theory. 

In order to construct from the A a PCA with stronger computation power, 
we will first consider the following two forms of limits lim;^ a\ . 

(R) ( a\ e A) \ is indexed by the whole A. 

(N) ( oa G A )a is any countable sequence of M-elements. 

We will prove that (R) does not always strengthen the computation power of 
A. However, (N) has an extreme effect on the strength of the A. We will in- 
troduce another construction from any PCA A to another PCA n-lim(M) where 
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only allowed limit is of the form (N). Then, the set of representable functions 
in n-lim(^) is the set of all partial numeric functions. Moreover, it can compute 
a discontinuous function from K. to N. The construction n-lim(— ) may be inter- 
esting itself since it applies for all signature of partial algebras. See Section 4. 

By using our results on limits over PCAs, we aim to interpret the following 
infinite A-calculi. Infinite A-calculi have been studied in proof- and recursion- 
theoretic contexts and are now being studied in the analysis of infinite streams 
(for input/output) and non-terminating recursive calls of functional program- 
ming languages. 

1. Tait’s typed calculus of infinitely long terms [15]: An infinite sequence of 
type A terms is again a type A term. His motivation was proof-theoretic. He 
wanted to define a large class of calculable functionals of finite types. 

2. S. Feferman’s typed calculus Tq of infinitely long terms (For details, see 
Schwichtenberg and Wainer [11]): An infinite sequence {Pi,P2, ■ ■ ■) of type 
A terms is again a type A term, if there is a term that calculates for each i 
the code of Pi. After Feferman developed Tait’s typed A-calculus in a proof- 
theoretic context, he introduced Tq and studied Tq in a recursion-theoretic 
context. 

3. two systems of infinite type-free A-calculi by Kennaway-Klop-Sleep-de Vries 
[8] and Berarducci [3]: Both have terms representing infinite Bohm-, Levy- 
Longo-, or Berarducci-trees. 

4. The type-free A/x-calculus (Parigot [10]): The typed version corresponds to 
the classical logic, and a typed/type-free version relates to a typed/ type- free 
functional programming language with control operators such as call/cc. 
Type-free A^-calculus has /i- variables to represent continuations. By regard- 
ing /r-variables as infinite sequences of usual variables, we can regard A^- 
calculus as an infinite A-calculus. 

The relationship between Tait’s infinite typed A-calculus and Feferman’s 
typed A-calculus is comparable to the relationship between n-lim(— ) and 
a-lim(— ). 

The infinite A-calculi (1,2,3) have an infinite term consisting of infinite terms, 
while our constructions a-lim(M) and n-lim(M) introduce an element infinitely 
depending on elements which are “finite” (i.e., in A). In order to interpret the 
infinite A-calculi, we will repeat our constructions a-lim(— ) and/or n-lim(— ). The 
resulting PCA allows repeated limit limj^ • • • limt^ f{ti, ■ ■ ■ ,tn)- See Section 5. 

However, Parigot’s type-free A/x-calculus is difficult to interpret with a-lim 
and/or n-lim. We will introduce another construction n-LIM(— ) which extends 
a given PCA M to a partial applicative structure n-LIM(Al) s.t. 

— every allowed limit in n-LIM(M) is a parallel limit limtj^.,,_t^ fiti, ■ ■ ■ An)- 

— the application operator is asynchronous. 

With the help of concurrency theory, we will try to clarify the parallelism hidden 
in the parallel limits of n-LIM(— ). Then, we will interpret the affine type-free 
A/i-calculus in Section 6. 
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From now on, the symbol means “if one-side is defined, then the other 
side is defined as having the same value,” while the symbol “=” means that “both 
sides are defined as having the same value.” The symbol “J,” means “is defined.” 
So, t X is equivalent to an equation t = t. For any operation /, we assume that 
/(oi, . . . , a„) i implies oi j,, . . . and a„ j,. The set of partial functions from Ato B 

OO 

is denoted hy A ^ B. We write 'i x & A. tp{x) to express that “{x G A | -«p(x) } 
is a finite set.” 

2 Limiting Recursion 

Definition 1. We say a partial numeric function (p(rii, . . . ,nk) is guessed by 
a partial numeric function ^(t, ni, . . . , n^) as t goes to infinity, if Vni, . . . , 
toVt > to- . . . , nfc) ~ ^(t, ni, . . . , rife). We write ip(ni , . . . , rifc) ~ limj ^(t, m, 
. . . ,nfc). For every class T of partial numeric functions, lim(iF) denotes the set 
of partial numeric functions guessed by a partial numeric function in T . 

In calibrating the computational power of lim(.7^), we recall the limiting re- 
cursive functions introduced by Gold [5]. We assume the knowledge about the 
arithmetical hierarchy of sets and complete sets w.r.t. many-one reducibility. 
The standard reference is Scare’s book [12]. 

Proposition 1 (Gold [5]). 

1. A total function guessed by a partial recursive function can be guessed by a 
primitive recursive function. 

2. A (partial) function guessed by a total recursive function is exactly a (partial) 
recursive function in the halting set /C (called a limiting recursive function.) 

The set PRF of partial recursive functions is contained in lim(PRF), because 
every (p G PRF is guessed by ip itself composed with projections. We will show 
that lim(PRF) strictly includes the set of limiting recursive functions. 

Proposition 2 (Takeshi Yamazaki, or folklore). 

1. For every total function, it is guessed by a total recursive function if and only 

if the graph of the function is in a class of the arithmetical hierarchy. 

2. For every partial function, if it is guessed by a partial recursive function, 
then the graph and the domain are both in a class Ag of the arithmetical 
hierarchy. Moreover, there is a partial function / s.t. / is guessed by a partial 
recursive function and the graph of / and the domain of / are both complete 
w.r.t. many-one reducibility. 

Proof. (2)Let Wn be the domain of the unary partial recursive function of index 
n. It is well-known Cof = {n \ W„ is cofinite} = {n \ 3sVt > s.t G W„} is 
Ag complete. Define ^{t,n) = 1, if t G >V„, and undefined, otherwise. Then 
X G Cof = dom(lim^(t, n)) iff (x, 1) G graph(limt ^(t, n)). □ 

The operation lim(— ) preserves an abstract structure for basic recursion the- 
ory, as Nakata and Hayashi showed in [9]. We recall Lo-hasic recursive function 
theory with a successor function of Strong [14] and Wagner [17]. If T is an 
w-BRFT with sue, so is lim(iF). 
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3 Autonomous Limit 

A partial combinatory algebrafpCA, for short) is A = (|A|, •, s, k) s.t. • is a 
binary partial operator (appZzcatzon operator) on a set |A|, and s,k € |A| are 
distinct elements subject to (fc • a) • 6 = a, (s • a) • 5 j,, ((s • a) • &) • c ~ (a • c) • (6 • c) . 
Examples of PGA are the set N of natural numbers and the set of values of the 
call-by- value A-calculus. A,B,. . . range over PCAs. 

Given a PGA, we can simulate a A-abstraction; for a “polynomial” t[x], there 
is a “polynomial” \x.t[x] s.t. (Aa;.t[a;]) • a ~ t[a]. The Church numeral of a 
natural number n, denoted by fi, is a polynomial XyXx. y ■{■■■■ {y ■ x) ■■ ■) with 
the y successively applied n-times to x. 

We say a partial numerical function %f{t,ni, . . . ,nk) is represented by an 
element a G A, whenever (• • • {{a ■ t) ■ fC) • • •) • nL = m iff if{t, ni, . . . , Uk) = m. 
The set of partial numerical functions representable in A is denoted by RpFn(A). 
It is well-known that RpFn(A) contains PRF. 

Given a PGA A, we will construct a PGA a-lim(A) s.t. RpFn(a-lim(Al)) = 
lim(RpFn(Al)). 

Definition 2 (Autonomous Limit of PC A). Given a PGA A = (|A|, •, s, k). 
The extension a-lim(A) of A by the autonomous limits is a PGA a-lim(A) = 
(|a-lim(A)|, *, s, k)) where 

— |a-lim(A)| is a quotient set {a G |A| \ a ^ a}/ where a ~ & is defined as 

OO _ _ 

V t G N. {a ■ t = b ■ t). 

— s= [k ■ s]...,, k = [k ■ k]r^ (“s, k for any value t”, t being “time”); 

— [a]..., * = [(s ■ a) ■ b]r~. (“synchronous application”). 

As ~ is a symmetric, transitive relation on |A|, the quotient set |a-lim(A)| 
is well-defined. The element is an equivalence class [a]..., with a G A. When a is 
undefined, so will [a]..., be undefined. The operation * is well-defined; Suppose 
a ^ a' and b ^ b' and s ■ a ■ b ■ n ~ {a ■ ri) ■ {b ■ n) is defined for values of n 
which are large enough. Then, because a ■ n = a' ■ n and b ■ ri = b' ■ n, we have 
s-a-b-n ~ {a-n)-{b-n) ~ {a' -n) ■ {b' -n) ~ s-a'-b'-n. Therefore, ~ 

Theorem 1. a-lim(A) is a PGA s.t. RpFn(a-lim(A)) = lim(RpFn(A)). 

Proof. We will first prove that it is a PGA. Let f G N be sufficiently large. (1) 
s * [a] * [6] * [c] ~ [s{s{s{ks)a)b)c] while [a] * [c] * ([6] * [c]) ~ [s(sac)(s&c)]. An 
axiom for s implies s{s{s{ks)a)b)ci ~ {kst){at){bt){ct). By using the axiom for k 
with t the last is ~ s{at){bt){ct). It is, by an axiom for s, ~ s{sac){sbc)t. So, 
s*[a]*[6]*[c] ~ [a]*[c]*([6]*[c]). (2) s*[a]*[6] ~ [s(s(fcs)a)6]. An axiom of s implies 
s{s{ks)a)bt ~ kst{at){bi). By using the axiom of k with t f, it is ~ s{at){bt). 
It is always defined because at hi f and an axiom of s. So, s * [a] * [6] f. (3) 
k * [a] * [6] = [s(s(fcfc)a)&] and s{s{kk)a)bi ~ {kki){ai){bi). By using the axiom 
of k with i j,, it is ~ k{ai){bi). It is ~ at as bi f. So, k * [a] * [6] = [a]. Therefore, 
a-lim(A) is indeed a PGA. 

Both of RpFn(a-lim(A)) and lim(RpFn(A)) have the nowhere defined partial 
functions of any arity. Let be a unary partial function somewhere defined, tp G 
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lim(RpFn(Al)) is equivalent to 3^ € RpFn(Al)Vn, m(lim^(t, n) = m iff (p{n) = 

oo 

m) As ip is somewhere defined, we have p(l) for some I and so, V 

/OO _ OO _ 

Thus, it is equivalent to 3a £ A[\/ t. at I & Vn, m(V t G N. atn = m) iff pin) = 
m ). Because a Church numeral n of a-lim(A) is [kn]r^ with the latter Church 
numeral n being in A, it is equivalent to 3a G A{a ~ a & Vn,m([a]^ * n = 
m) iff p{n) = m). Therefore, p £ lim(RpFn(A)) iff v? G RpFn(a-lim(A)). For 
p with the arity being greater than 1, it is similarly proved. □ 

Definition 3 (homomorphism). A function / from a PGA A to a PGA B is 
a homomorphism, if / preserves the operators as relations. That is, /(s) = s, 
f{k) = k, and ah = c implies f{a)f{b) = /(c). We denote by PCA the category 
of PGAs and homomorphisms. An injective, surjective homomorphism is called 
an isomorphism. A homomorphism is abbreviated as homo. 



Theorem 2. The function : A a-lim(A); a [k ■ a].,., is an injective, 
non-surjective homo, such that a - a' = b 4=^ M(a) * >^aW) = m(^)- Moreover, 

OO _ _ 

[a].., = Lj^{b) 4=^ VtGN. a-t = 6 ( 4=^ “lim a - 1 = &”) 

4 Possible Limit Structures 

Each element of the PGA a-lim(A) is of the form limj at, where the 

1. parameter t can be any natural number; and 

2. the sequence {at)t is of the form (o • t)t for some a £ A. In this case, the 
sequence is “autonomously tracked” by an A-element a. 

To justify the necessity of the two conditions, we will discuss following alternative 
limj at for A'. (R) t of lim^ at can be any element of A (See Subsection 4.1); or 
(N) the sequence {at)t is any countable sequence. (See Subsection 4.2) 

4.1 Range Property and Limit 

OO 

We consider another lim operation: limo f{x, a) = y 4 =^ V a £ \A\. y = f{x, a). 
Although this limit is useful in a PGA N, it is not the case for the set Ai of closed 
A-terms modulo /3-equality. Ai is called a closed term model of A/3-calculus. Even 
though we can construct from Ai another PGA A{Ai) with the limit being above, 
we have PRF = RpFn(A(At)) = RpFn(Al) yf lim(RpFn(Al)) = lim(PRF), 
because of the range property of Barendregt( [1, p.517]): In Ai, the range of any 
combinator is either a singleton or an infinite set. Indeed, if / : A4 x AI — >■ A4 is 
representable, so is Fx{a) = f{x, a). When limo f{x, a) in the above sense has a 
value, Fx has the finite range {Fr(o) | a £ Ai}. However, it must be a singleton 
because of the range property. Therefore, the lim of above will be useless. 
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4.2 Limit along All the Countable Sequences 

Theorem 3. Let At be a partial algebra of a signature 

(/i,...; Ml = m'i,...; Ml ~ v'l,...). Here /i,... are (partial) operators, and 
Ml = u'l, . . . ; Ml ~ Ml, . . . are axioms. Each Ui,u[,Vi, v[ is built up from the vari- 
ables and the operators /i , — 

The extension n-lim(At) of At by the non-constructive limits is 
(|n-lim(At)|, f, . . .) s.t. 

1. |n-lim(At)| = {a : N ^ At | a ~ a }/ ~, where a ~ 6 is defined as 

OO 

V fc G N.a(fc) = b{k). 

2. For ]..., G |n-lim(At)|, define . . .) ~ with 

^p{i) 

Then n-lim(At) is a partial algebra of the same signature. 

As we defined homomorphisms for PCAs, we will define a homomorphism for 
partial algebras as a function which preserves the operators as relations. 

Theorem 4. The function lj^ : At — >■ n-lim(At); b i— >■ [a],..,, where a{t) = b. 
is an injective homo, such that f(6, . . .) = b' in At 4=^ iM{^){i'M{b), ■ ■ ■) = 
LM{b') in n-lim(At). If At has at least two elements, it is non-surjective. More- 
over, 



OO 

[a]..., = iM{b) (V t G N. a{t) = b) ( 4=^ “lim a{t) = 6”). 

Proof. Let a : N ^ At s. t. a{t) = bt mod 2 with distinct bo,bi G At. If is 

OO 

surjective, 36 V t G N (a{t) = b). Contradiction. The other claims are clear. □ 

Partial algebras appear as algebraic specification of software. For instance, 
stacks. It is indeed partial, because pop (nil) can be undefined. The signature 
of stacks is (pop, push, nil, 1; pop(push(x, y)) = x). By taking At of above the- 
orems as PCAs, we will have the following: 

Theorem 5. If A is a PCA, n-lim(A) is a PCA s. t. RpFn(n-lim(A)) is the set 
of all partial numeric functions. 

Proof. We will prove only the second part. Since any partial numeric function of 
finite domain is representable in any PCA, every partial numeric m-ary function 
ip is represented by s. t. f{t) represents ip f {0, 1, ... ,t — 1,6}’” in A. □ 



Remark 1. There are other PCAs where every partial numeric function is rep- 
resentable. For instance, Doo introduced by Scott and the partial continuous 
operations (PCO, for short. See [16, Ch.9, Sect. 4]) introduced by Kleene. How- 
ever, no n-lim(A) is isomorphic to them. This fact is explained by comparing 
the three extensional collapses [16] of n-lim(A),Doo and PCO. 

On the one hand, the extensional collapses of both D^o and PCO are the same; 
a type structure consisting of all total Kleene-Kreisel continuous functionals over 
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N. By a Kleene-Kreisel continuous functional, we mean that the output of the 
functional depends only on finite subinformation of the input functionals. 

On the other hand, the extensional collapse of n-lim(Al) contains a discon- 
tinuous functional over N. One such example is the Gauss function, a function 
given a real number x returning the smallest integer not greater than x. The 
Gauss function is actually a functional of type (IN — >• IN) — >• IN by using a suit- 
able coding of Q to IN. The Gauss function is not Kleene-Kreisel continuous, 
because the output needs infinite precision on the input real number to deter- 
mine whether the input is an integer or not. As Gauss function is rewritten as 
the limit according to Yasugi-Brattka-Washihara [18], it is in the extensional 
collapse of n-lim(Al). Hence, no n-lim(A) is isomorphic to Hoo or PCO. 

5 Repeating Limits 

In functional programming, we use infinite lists as streams (for input/output) and 
non-terminating recursive calls. These objects are usually the unwinding (“limit”) 
of finite objects. To analyze such infinitary objects, of interest is the infinitary 
A-calculus which was introduced by Kennaway-Klop-Sleep-de Vries [8] and that 
which was introduced by Berarducci [3]. Both calculi admit terms like Xx.y^x, 
Xx.y‘^{x‘^), and have terms with the limit operation (— )“ being nested. So, to 
interpret all of the infinitary A-terms, it is necessary to repeat the limit con- 
structions w-times. 

Let A be a combinatory algebra. Then the interpretations of ordinary A-terms 
are in A. If an infinitary A-term M has /c-nested (— then the interpretation 
is in a-lim^(Al) or n-lim^(Al). 

Definition 4 (a-times repeated limits). For every PCA A and every ordinal 
number a, let us define a PCA lim“(A) and the canonical injective homo, (.(j : 
lim^(Al) — >■ lim“(Al) for each 0 < P < a. 

— a-lim°(A) = A, and is the identity for each ordinal number p. 

— a-lim^''‘^(Al) = a-lim ^a-lim^(Al)^ , and ° 

— For a being a limit ordinal number, a-lim“(A) is an inductive limit of 
(6^)o<7<5<ce, and each 6^ is a natural injection of the inductive limit. 

Theorem 6. For each ordinal number a > /? > 0, 

1. a-lim“(A) is indeed a PCA, and 6^ is an injective, non-surjective homo.; 

2. RpFn(a-lim“(Al)) is lim“(RpFn(Al)) for a finite, and is U/ 3 gn (RpFn(A)) 
otherwise. 

Proof. (1) By transfinite induction on a. (2) Note that RpFn(a-lim“(Al)) is 
1J^<^ RpFn(a-lim^(Al)). Theorem 1 proves the case for finite a. Let’s first con- 
sider the case a = ui+\. RpFn(a-lim“^^(Al)) = lim ^U/ 3 gn RpFn(a-lim^(Al))^ = 
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lim lim^(RpFn(^))y Therefore, 7>(— ) € RpFn(lim“^^(^)) iff 3/3 < 

w3^ G lim^(RpFn(^))Vn. 3igVfo > t'o^pin) — ^{to,n), iff (/?(—) G RpFn 
(lim“+\^)) iff 3/3 < w3C' G RpFn(^) 33'gVfo > ■ ■ ■ 3F^Vf^ > 7>(n) ~ 

- ■ ■ ,tp,n). So, RpFn(lim‘^'''^(^)) is RpFn(lim“(^)). In this way, we can 
prove the second part of the theorem. □ 

We similarly define n-lim“(^). Theorem similar to Theorem 2 also holds. We 
have above Theorem with a-lim(— ) replaced by n-lim(— ), but RpFn(n-lim“(^)) 
is the set of all partial numeric functions for a > 0. 

We do not know whether there is an ordinal number a such that a-lim“(^) is 
isomorphic to a-lim (a-lim“(^)). cannot be such an isomorphism, accord- 
ing to above Theorem. There is no A isomorphic to n-lim(^), because of the 
cardinality argument. Although the construction a-lim(— ) is an endofunctor of 
a category PCA, it is difficult to employ a category-theoretic version of Tarski’s 
fixpoint theorem arguments; because two homo’s a-lim(i^^^) and are not 
equal but their equalizer can be proved to be 

An infinitely long term (Pi, P2 , . . .) of Tait’s and Feferman’s A-calculi (resp.) 
can be interpreted as (oi, 02, 03 , . . . , ) ~ [t 1— >■ (oi, 02, a^, . . . , at)t]~ in n-lim“~'’^ 
(Al) and a-lim“'''^(Al) (resp.) whenever each Pi is interpreted as Gi G a-lim“(Al). 
In particular, if Pi is an ordinary A-term, then a = 0. Here, (oi, 02, 03 , . . . ,at) is 
the abbreviation of cons oi (• • • (cons at i) • • ■); ^ pairing car (cons a b) = a, 

and cdr (cons a b) = b. For example, we can define cons = Xxyz. xyz, car = 
Xx. xk, cdr = Ax. x(ki). 

6 An Interpretation of Type-Free A^t-Calcnlus 

In [10], Parigot introduced the typed A/x-calculus which corresponds to classi- 
cal propositional logic via Curry-Howard isomorphism. By forgetting the types 
in the A/x-calculus, we obtain a type-free Xy-calculus. Both calculi are related 
to type-free/typed programming languages with control operators (call/cc, C 
introduced by M. Felleisen and D. Friedman, raise-handle, ...). 

Type-free A/i-calculus is specified by defining A/r-terms, and the reduction 
rules (the /3-reduction rule and the /r-reduction rule). 

Xji-Terms are generated by M ::= c | x | MM \ Ax. M | [a\M \ jjLa.M. An 
occurrence of a in pLa. ■ ■ ■ will be called a bound occurrence of a. An occurrence 
of a which is not bound is called free. A A/x-term [a]M is regarded as application 
of M to the continuation bound to a. ya. M is regarded as functional abstraction 
over the continuation variable a on the level of continuation semantics. Here, 
X, y, z, . . . range over term- variables, a, /3, 7, . . . range over y-variables which are 
distinguished from the term-variables. 

Mixed substitution. A context is generated by the above grammar with a special 
constant ( ). By replacing the occurrences of ( ) of a context C'( ) with a Xy- 
term M, we obtain a A/x-term C{M). For any context C{ ) and a A/x-term N, 
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we define a mixed substitution d = [[«]( ) := C{ )] as follows; If iV is a A/i-term, 
so is a Nd. If N does not have a free /i-variable a, then Nd is N. So, if N is 
a variable or /ra. M, then Nd = N. The mixed substitution commutes with a 
A-abstraction and an application. The mixed substitution d = [[a]( ) := C{ )] 
satisfies {[f3]M)d = [P]{Md) and (/r/3. M)d = fxf3. (Md), provided (} ^ a. Finally, 
(HM)[H():=C( )] ^C(M[H():=C()]). 



^-reduction is specified by the rule: (/ia. M)N ^a. 
In graphical notation, the rule is 



(m[H():= N(()iV)]). 



• i[a]P) • -))N • (H(P'iV)) . .). (1) 

For instance, (/ra. [a\ {y[a]x)')z fia. [a\ {y {[a]{xz)) z). Of course, the type- 
free A/x-calculus has the usual /3-reduction. 



6.1 Informal Semantics of A/x 

y,-application(-ahstraction, -reduction) = infinite applications (abstractions, (3- 
reduction). Consider an informal translation from the type-free A^-calculus to 
(infinitely long) type-free A-calculus: 

[a]P I— >■ Poq • ■ • • and ya.M^ Xao . . . am ■ ■ ■ ■ M . (2) 

Then, the above rewriting rule (1) is translated to 

(Aaoai (Pooai • ■ •) ’ ■))^ ~^/3 Aaoai---(- • {P'Naoai . . .) • •), (3) 

which turns out to be a /3-reduction between infinite terms, by renaming 
bound variables infinite times Aoi . . . (• • -{P'Nai...) ■ •) = Aaoai • ■ • 

(• • {P'Naoai . . .) ■ •). The vy-like reduction on continuation ya. [a]P — >■ P (if a 
is not free in P.) turns out to be just infinite ?7-reductions(see Theorem 9). This 
idea of Parigot is being studied by Fujita [4]; with type-regime, the translation 
above precisely corresponds to Godel translation and the length of oq; Q^i, . . . is 
finite. 

y-variable = infinite stream. The idea of (2) leads us to interpret [a]P ~ 
limt Pa^ai . . .at — [t !->■ Paoai . . . at]^.. at ~ car * (cdr * • • • (cdr * a) ■ ■ •), 
where cdr is successively applied /-times to a. Then, we have a Swap rule of 
Streicher-Reus’s version of type- free A^-calculus [13]: [cons* M *A^]P~ [A^](P* 
M), if we allow more general continuation terms than mere /x- (continuation) 
variables namely pure A-terms stacked to a /x-variable cons * Mi * (cons * M 2 * 

. . . * (cons * Mn * a) . . .). 

y-reduction causes delay in a stream. The translation result of the rewriting rule 
(1) is / -)> 5 s. t. 

f{t) ~ (Aoo ...at.{-- (Poo ...at) - -))N ~ Aoi . . . a*. (• • {PNa 2 ...at) ■ ■), 
g{t) ~ Aoo . . . Ot.(- • {PNao ...at) ■ ■) 
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But, f{t+ 1) ~ g{t). Because it takes 1 ‘clock time’ to compute(by /3-reduction) 
g from /, a delay will occur because of the extra computational time required. 
Anyway, [f]^ yf [(/].,., in n-lim(^). So, n-lim(^) does not interpret the calculus. 
Neither does a-lim(^). 

To equate / and g above, let us replace the symmetric, transitive relation ~ 
with the smallest symmetric, transitive relation « containing ~ and the ‘delay’ 
rule / « (t !->• f{t+ 1)). Unfortunately, a quotient set (N ^ |^|) / « cannot 
have the synchronous application operator [/]~ * [^]~ ~ [t f{t) ■ well- 

defined. 



6.2 Asynchronous Applicative Structure and Parallel Limit 

Given a PCA A, we introduce another partial algebra n-LIM(A) where an ap- 
propriate application operator can be defined. The carrier set of n-LIM(A) is 
{/ I > 0. / : IN” ^ |A| and / ~ /}/ where ~ is a symmetric, transitive 
relation over Un>o(^" ^ l“^l) defined by the symmetricity rule, the transitivity 
rule plus the following two rules. Let / : Then 



1. The ‘delay’ rule. / 



N” 



idx---x idxsucxid--- xid 






/ 



A where id is the 



identity function on N and sue is the successor function. 

As for X, it is an associative operator and for all fi ■. At ^ Bi we have 
/i X /2 : Ai X A2 ^ X B2 s.t. (/i X /2)(ai,a2) is (/i(ai), /2(a2)) if each 
fi{ai) is defined, and it is undefined otherwise. 

The rule is necessary to have limt f{t) ~ limj f{t + 1). 

2. The ‘exchange’ and ‘weakening’ rule. / ~ N™ ^ N" ^ 

A, where m > n, ct is a permutation on {1, ... , n}, and for each k = I, . . . ,m 
the function tt™ returns the fc-th argument. 

For all fi : A ^ Bi we have (/i,...,/„) : A ^ Bi x ■■■ x Bn s.t. 

(/i, . . . , /n)(a) is (/i(a), . . . , fn{a)) if each /i(a) is defined, and it is undefined 
otherwise. The rule will make the following application operator well-defined. 



Lemma 1. Let i,j, fc > 0. If V {ui,...,uk) G N'=. \/si,...,Si,ti,---,tj G N. 

fi{ui,...,Uk,si,...,Si) ~ then /i ~ /2, 

Proof. Assume that t > to implies — f 2 {t,t 2 )- Let gi{t,ti) — fi{ti + 

to, . ■ . ,tk + toi ti)- Then, fi ~ gi by kto times repeated applications of the ‘delay’ 
rule. Because gi{t,tx) ~ g 2 {t,t 2 ,), by using the ‘exchange’ and ‘weakening’ rule 
from we have 51 ~ (? 2 - By the transitivity of we have /i ~ / 2 - □ 

Remark 2. Consistent with Lemma 1, for each X = a-lim(A), n-lim(A), or 
n-LIM(A), we mention the relationship between the symmetric, transitive re- 
lation ~ for X and the limit structure of X. 

— In a-lim(A), we have always i = j = 0 and k = 1 and for an autonomous 
sequence of A-elements the sequential limit lim* a ■ t corresponds to [a].,., G 
a-lim(A). 
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— In n-lim(Al), we have always i = j = 0 and k = 1 and for a f : N ^ A the 
sequential limit limt/(t) corresponds to [f]^ G n-lim(Al). 

— In n-LIM(Al), for a / : ^ A the parallel limit limtj_.,,_tj,_^. /(ti, . . . , tk+i) 

corresponds to [/]^ G n-LIM(Al). 

An asynchronous application operator. For / : N" ^ A and g : N™ ^ A, define 

[/]^ * [ 5 ]^ ~ [/i]^ , with /i = N” X N™ Ax A - A 

where (— ) • (— ) is the application operator of a given PGA A. The operator * is 
‘asynchronous’ in the sense that f x g is involved. The operator, as well as the 
relation permits ‘delay’ in the arguments (as streams). Therefore, 

Lemma 2. (—)*(—) is well-defined. 

We say n-LIM(Al) is the extension of a PGA A by the non-eonstructive parallel 
limits and the asynchronous application. 

Remark 3. We explain the application operator with the vocabulary of the con- 
currency theory: 

1 . / and g (resp.) is a process having at most n and m (resp.) independent 
clocks. For all time slices^ except for finite numbers, we can observe A- 
elements. 

2. h is a process having the clocks of both / and g. Given a time slice, let a be 
the observation of / at a given time slice and let b be the observation of g 
at a given time slice. Then the observation of at a given time slice is a ■ b. 

As is common, the contraction rule is seen as a communication(synchronization). 
In defining we cannot replace the ‘exchange’ and ‘weakening’ rule with the ‘ex- 

change,’ ‘weakening’ and ‘contraction‘ rule N" ^ ^ 

N" ^ A where m > n, ct is a function on {!,..., n}. 

Lemma 3. In n-LIM(A), we have [k]..^ * x * y = x. It is not the case that 
[s].,., *x*y*z:^x*z*{y*z). But, it is the case if x = with some h € A. 

Proof. Let x = [/]~,y = [g]^,z = and the arities of f,g,h be n,m,l. 

* X *y is s.t. p = f o X • • • X 7r”+"*) ~ / by the exchange and 

weakening rule. Therefore [k]..^ * x * y = x . On the other hand, [s].,., * x * y * z is 
[m].,., with u being naturally an (n + m + l)-ary partial function, while x*z* (y*z) 
is [u].,., with V being naturally (n + I + m + l)-ary. So, it is difficult to have the 
equation unless I = 0 (i.e., h £ A). □ 

Definition 5. For every polynomial t[x], define the polynomial Ax.t[x] as fol- 
lows. Let X not occur in u. Ax. a ~ Ax. x ~ [Ax. x].^. Ax. u*x ~ u. 



^ {ti, ... ,t„) where each ti is the value of the clock. 
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— Ax. t[x] * u ~ [Xxyz. xzy]r^ * (Ax. t[x\) * u. 

— Ax. u * t[x] ~ [Xxyz. x(j/z)].^ * m * (Ax. t[x[). 

— Ax.i[x] *t'[x] ~ [s].,., * (Ax.t[x]) * {\x.t'[x\). 

Lemma 4. For every a G n-LIM(^) we have (Ax.t[x])o ~ t[a], if x occurs in 
t[x] at most once, or if a = [h]r.. with some h G A. 

By using the A-abstraction of Definition 5, we re-define the Church numeral i, 
and the pairing by the equations at the end of last section. Let nth ~ Xxy. car * 
{y * cdr * x). 

Lemma 5. n-LIM(^) has a pairing cons, car, cdr, and nth s.t. 

nth * (xo, . . . ,x„) * t ~ xj. 

We can define similarly the extension a-LIM(^) of a PCA A by the au- 
tonomous parallel limits and the asynchronous application. 

6.3 The Interpretation 

Convention 1 In every A/x-term M, every bound /i-variable is distinct^ and 
different from any free ^-variables. 

Definition 6. Given a type-free A/x-term M. Let {a, (3,...} be the set of y.- 
variables in M, then a set {ta, ty , . . .} of numeric variables is denoted by M^. 

We will define the partial function returns at most one Al-element, when 
the values of is determined; x® ~ x ranges over the elements of A, {MN)^ ~ 
M3N3 and (Ax.M)® ~ Xx.MC 

([a]M)® ~ M®(nth a 0) . . . (nth a ta); 

(/xa. M)® ~ Aoo ■ • •at„.M®[a := (oq, • ■ • , ■ 

The interpretation |M] of M in n-LIM(^) is [M®]^ . 

We will prove that this interpretation works for the affine type-free A/x- 
calculus. 

Lemma 6. (P[x := Q])® ~ P®[x := Q®]. 

Proof. By induction on P. We abbreviate [x := Q] as 9, [x := Q®] as 0®. Case 
1. P is [a]M. Then L.H.S. ([a](M0))® is ~ (M9)^ (nth a 0) ... (nth a ta). 
By I.H., it is M^9^ (nth a 0) ... (nth a ta) — (M® (nth a 0) ... )0®, 
which is the R.H.S.. Case 2. P is yfd.M. Then the L.H.S. is (/x/3. (M0))® ~ 
X(3o...f3t,.{M9)s [P := (/3q, • . . , /3t,)]. By I.H., it is A/3 q . • . A, . M®0® [p := 
(/?o, . ■ • iPtp)]- Because we can assume that P is not in Q without loss of gen- 
erality, the last is (A/3 q • . ■ Pt^. [P := (/3q, ■ . ■ , Ptp)\) 9^, which is the R.H.S.. 
When P is of the other forms, then it is trivial. □ 

That is, Q 5 *^ /3, if M is • • • (/xq. ... a •••)•• • (/x/3. ■■■ P ■■■)■■ ■. 



2 
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Lemma 7. ( P[[a]{ ) := ( )xq . ~ P®[ a := {xq, ■ ■ -,XtJ ]■ 

Proof. By induction on P. i9 stands for [ [a]( ) := ( )xq . . . Xt^ ] and 0 for [a := 
(a;o, ■ ■ ■ , xt^) ]. Case 1. P is [a]M. Then the L.H.S. is (Mi? xq ■ ■ ■ By I.H., 
it is M^Oxq . . . Xt^, which is the R.H.S.. Case 2. P is M with (3 ^ a. Then the 
L.H.S. is (^/3. Ml?)®, which is A/3o • ■ • (3tp- (Mi?)® [j3 := (/3o, ■ • ■ Ptp)]- By I.H., it 
is A/3o ■ .. f3ti,.M39 [/? := (/?o, . ■ • Pt^)]- It is A/?o • . . Z?*,, . M® [/? := (/3q, ■ . . 
which is the R.H.S.. When P is of the other forms, then it is trivial. □ 



Theorem 7. If x occurs free at most once in M, or if no ^-variable occurs in 
N, then ((Ax. M)iV)® ~ (M[x := IV])®. Hence, |(Ax.M)7V] ~ |M[x := N]j. 

Proof. The L.H.S. is (Ax. M^)N^, where x occurs free at most once in M®, or 
N ~ for some h G A. So, the L.H.S. is M®[x := A^®], by Lemma 4. It is the 
R.H.S. by Lemma 6. □ 



Theorem 8. Let a occur free at most once in P, or let no /r-variable occur in 
Q. Then we have 



/i-reduction. 
Parigot’s S3 rule. 



{fia. P)Q] ~ [fj,a. P[ [a ]{ ) := [a](( )Q) ]] 

/i«. M] ~ Xx. iJ,a. M[[a]{—) := [a]((— )x)]]. 



Proof. In order to prove the two statements, we will claim resp. 

1. if fftcntp) ^ {{m- P)QY, then /(A + l,t/3) ~ (^a.P[[a\{ ) := [«](( )Q)]^ ; 
and 

2. if f{ta,t/3) - (Zia-P)®, then /(A + l,t/3) ~ (Xx. ^a. P[[a ]{ ) := [a](( )x)]^ . 

(1) The L.H.S. f{ta + Ipp) is (Aoo ■ . ■ ai,,+i. P®[a := (oq, • • -,o:t^+i) ])<5®. 
which is, by Lemma 7, (Aoo ■ • • ( P[ H( ) := ( )ao • • ■ cttc+i ] which is, 

by Lemma 6 and the premise, Aoi . . . at^+i. ( P[ H( ) := ( )<5«i • • -aic+i ] 
which is, by renaming bound variables, A«o • • • ■ (P[[o^]( ) •= ( )Q^o ■ ■ ■ 

Because of Convention 1, the mixed substitution above is a composition of two 
mixed substitutions: [ [a]( ) := [a](( )Q) ] [ [a]( ) := ( )o;o ■ • • ] • By Lemma 

7, f{ta + l,tp) ^ Xao . . .at^.(^P[[a]{ ) := [«](( )Q)]^ [a := (oq, ■ • ■ , , 

which is the R.H.S. (^^a. P\\a ]{ ) := [o;](( )Q)]^ . (2) is similarly proved. □ 



Theorem 9 {rjcont)- If is not free in M, then ( fxa. \a\M )® ~ M®, hence 
[^la. [a]M ] ~ [M]. 

Proof. (— )® unwinds each occurrence of a to the same sequence ao, . . . , at^. □ 

When we validate the /i-reduction but not i^cont-reduction, we can replace 
(— )® with another translation (— )*^ satisfying the following two conditions . 
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(1) for the same ^-variable a, we will distinguish the different occurrences by 
let (—)^ unwind a* to Oq, Oi, . . . , . (2) For the /r-reduction with 

the following graphical notation 

(Ma\(- • • {[a^]P) ■ ■ ■ {[a^]Q) ■ ■ -))N • • {[a^]{P'N)) ■ ■ ■ ([a^JQ') . . .), 

we have ti > t 2 , ta, ■ • 

7 Final Remarks 

In Berardi [2], to obtain an interpretation of the intuitionistic logic + QxA{x) V 
~'QxA{x) (A{x) is quantifier- free), he uses a completion idea, similar to the 
topological completion producing IR out of Q. He is concerned with the processes 
of computing the limit values. Based on those processes, he directly interprets his 
semi-formal system of maps. In constructing his model, he uses intuitionistic 
reasoning, and, consequently, the cofinally true conditions supersedes the definite 
true condition (classically, they are the same for converging limits). For I : D ^ 
IN being a converging limit, he defines P{1) is cofinally true iff P{l{d)) is true 
cofinally on D. So, he can effectively find d £ D such that P{l{d)). But the only 
way we have of finding this is to go through all possible values for d. 

We conjecture that our non-constructive limit construction n-lim(— ) in some 
constructive set theory is the same as our autonomous limit operation a-lim(— ). 
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Abstract. The intersection type assignment system IT uses the for- 
mulas of the negative fragment of the predicate calculus (LJ) as types 
for the A-terms. However, the deductions of IT only correspond to the 
proper sub-set of the derivations of LJ, obtained by imposing a meta- 
theoretic condition about the use of the conjunction of LJ. This paper 
proposes a logical foundation for IT. This is done by introducing a logic 
IL. Intuitively, a derivation of IL is a set of derivations in LJ such that 
the derivations in the set can be thought of as writable in parallel. This 
way of looking at LJ, by means of IL, allows to transform the meta- 
theoretic condition, mentioned above, into a purely structural property 
of IL. The relation between IL and LJ surely has a first main benefit: 
the strong normalization of LJ directly implies the same property on IL, 
which translates in a very simple proof of the strong normalizability of 
the A-terms typable with IT. 



1 Introduction 

The intersection type assignment system (IT) is a set of rules for assigning types 
to terms of the untyped A-calculus. The types of IT are formulas of the predicate 
logic, built from the two connectives “implication” (— >■) and “conjunction” (A). 

IT was introduced in the early Eighty by Mariangiola Dezani and Mario 
Coppo [6] , in order to enhance the tipability power of the Curry type assignment 
system. The system characterizes important properties of the A-terms, like the 
normalization and the strong normalization. Indeed, it has be proved that IT 
assigns types to all and only the strong normalizing terms [19]. Moreover, if the 
set of types is extended to contain a “universal type” w, that can be given to all 
the A-terms, then the normalizing terms are exactly those that can be given a 
type free of occurrences of w [4]. 

Intersection types have been particularly useful in studying the semantics 
of various kinds of A-calculi. This can be done by extending the system with 
suitable sub-typing relations. In this way the type assignment is a finitary tool 
to reason about the interpretation of the terms in the topological models of 
A-calculus, like Scott domains, Dl-domains, coherence spaces [1,4,7,10,14,15,22]. 

Unlike other type assignment systems (like Curry type assignment [8], or 
the type assignment version of the II order A-calculus [12,17]), IT has not been 
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designed starting from a logic, and up to now, the relationship between IL and 
the implicational and conjunctive fragment of the predicate calculus (LJ) are far 
from being clear. This was firstly pointed out by Hindley [13]. The problem is 
the logical interpretation of the rule introducing the conjunction: 



(AIit) 



r l-A M : O- r\-A M :t 
r \-^ M : a At 



( 1 ) 



If we reason according to the Curry-Howard isomorphism, which is the standard 
relationship between logic and A-calculus, then we can observe that in the rule (1) 
here above the A-term M denotes two proofs. In particular, (1) says that an 
intersection type a A t can be built from the two components cr and r only 
when they can be proved by two “isomorphic” proofs, according to a notion 
of isomorphism that relates proofs encoded by the same A-term. Our point is 
that the use of a A-term to express the isomorphism of two derivations is a meta- 
theoretical restriction on the introduction of the conjunction, and for this reason 
LJ is not the logic which IT is based on. 

In this paper we establish a logical foundation for IT, and clarify the rela- 
tionship between IT and LJ. More precisely, we define the new logic IL, such 
that every of its deductions corresponds to a set of deductions in LJ, sharing 
some structural properties. IL is the desired “bridge” between LJ and IT, since 
a deduction in IT can be obtained as a partial decoration of a deduction in 
IL. Moreover, IL has all the good properties we ask for a logic. In particular it 
enjoys the strong normalization property, whose proof directly derives from the 
analogous property of L J [20] . Moreover, thanks to the relation between IL and 
IT, we obtain for free that if a term is typable by an intersection type, then it 
is also strongly normalizable. As a side result, a typed version of A-terms with 
intersection type can be obtained through a full decoration of deductions in IL. 
But this is subject of a forthcoming paper. 

The literature presents other proof-theoretical investigations of the intersec- 
tion type assignment. Barbanera and Alessi [2], refining a previous attempt of 
Mints [18], proved that IT, equipped with both (3 and vy-reduction, gives a com- 
plete realizability semantics of the predicate logic with implication and “strong 
conjunction”. This result has been further extended to other connectives in [3]. 

The first attempt to give a logical foundation to intersection types was by 
Venneri [23]. She proposed an Hilbert style logic corresponding to a system 
which assigns intersection types to the terms of Combinatory Logic. A further 
extension with union types is in [9]. Our feeling is that the approach in [23,9] is 
not suitable for the A-calculus. 

Moreover, in [5] there is the proof that a typed version of IT can be ob- 
tained, through the Curry-Howard isomorphism, from a logic, where formulas 
are sequence of formulas of LJ. The untyped version of such a language is quite 
similar to the language in [16], which has been defined to highlight the intrinsic 
parallelism of the /3-reduction. Other typed versions of IT have been defined by 
Reynolds [21] and Wells [24], but they did not follow a logical approach, so are 
unrelated with the topic of the present paper. 
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To conclude, we believe that our approach to a logical foundation of IT could 
evolve by adopting the principles at the base of Ludics, the project initiated by 
J.-Y. Girard to re-found logic [11]. 

The paper is organized as follows. In Section 2 and 3 the systems LJ and 
IT are briefly recalled. In Section 4 the intersection logic IL is defined, and its 
relation with LJ is stated. In Section 5 the strong normalization of IL is proved. 
Section 6 contains the main theorem, which formalizes the relation between IL 
and IT. 



2 Intuitionistic Logic: 

Implicative and Conjunctive Fragment 



We start by recalling the natural deduction of the implicative and conjunctive 
fragment of Intuitionistic Logic that, somewhat abusing the name, we call LJ. 

Definition 1. i) The formulas of LJ belong to the language generated by the 
grammar: 

a ;:= a \ {a ^ a) \ {a A a) 

where a&V (a denumerable set of constants). The formulas are denoted by 
p, a, T. We assume the associativity to the right for — >■ and the one to the left 
for A. 

ii) A context is a finite sequence Ui,. . .,<7^ of formulas, denoted by T,A, pos- 
sibly indexed. 

Hi) The natural deduction system LJ proves statements T \~lj a, where T is a 
context and a a formula. Lt consists of the following rules: 



(Alj) 

u \~LJ <r 

, T,o,t,A \-lj P 
(Xlj) 



r, T, a, A \~LJ p 
,i ^ r \-Lj ctat 

r \~Lj u 



(AE[ 



‘LJ 



r \~Lj <y 

r, T \~LJ O 

t'tljo rv- 



{WljY 



LJ T 



r \~LJ cr At 
r \~LJ a At 



r h 



LJ cr 



The deductions of LJ are denoted by 7T, TTi,.... Moreover, IL \ T \~lj <J 
means that LI concludes, proving T cr. 



Example 1. Let a denote the formula {a A j3) A 7. Define the following three 
deductions: 



i7o : {HEfj) 



(ASij)- 



{Alj) 



cr \~LJ (g A d) A 7 
cr \~LJ Ol A j 3 



cr \~Lj a 



(Alj) ^ (a A / 3 ) A 7 
cr \~LJ 7 



i7i : i^Elj) 
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Then, is: 



772 : Ilj) 



\-^j Q , 

\~Lj a ^ a 






(— >■ Ilj) 



! ^ j JIo : cr h_L j a III : a \~Lj 7 

ahnj qA7 

hnj (q A /3) A 7 -» (g A 7 ) II 2 :l~nj a ^ a 

^Lj ((« A /3) A 7 ^ (a A 7 )) A (a — >■ a) 



Let us recall the strong normalization property of the deductions in LJ. 
Definition 2. Let II be a deduction of LJ. 



i) A A-LJ-redex of II is a sequence of two rules, formed by an instance of 
{Hlj), followed by an instance of either {AE\^j) or (AEfj); 
ii) A — >-LJ-redex of II is a sequence of two rules, formed by an instance of 
(— >■ Ilj), followed by an instance of Elj); 

Hi) n is normal if it does not contain neither A-LJ-redexes nor -^-LJ-redexes. 



Lemma 1. Consider two derivations II : I \~lj cj and II' : I, a \~lj t. Call 
S{n,n') the deductive structure obtained by replacing the conclusion of LI for 
every occurrence {Alj) deriving uV-lj<J, and such that a to left of\~Lj is free 
in the conclusion of II' . Then, S{n,II') : I \~lj t. 



Definition 3. The rewriting relation '^lj between derivations is defined as fol- 
lows: 



- (AEij) 



{AIlj) 



III ■ I l~LJ CTl Ilr : I l~LJ Cr 
I \~L,J <n A Or 



where s € {I, r}. 



I h_Lj as 



— (— >• Elj) 



ill -.r^LjT 



~LJ T - 



I h_Lj a 



Ha : I \~LJ as 



"^Lj S{IIi, iio) : r \~LJ a 



Theorem 1 (Prawitz). The rewriting relation '^lj is strongly normalizing. 



3 Intersection Types 

We briefly recall the system of Intersection Types (IT), which works as a type 
assignment system for the untyped A-calculus. 

Definition 4. i) The set of types of IT coincides to the formulas of LJ. 
ii) An IT-context is a finite set of pairs {xi : ai, . . . ,x„ : a„} that assigns types 
to X-variables so that i ^ j implies Xi ^ xj. By abusing the notation, I and 
A denote IT-contexts. 

Hi) IT is a deductive system that derives judgments I \~it M '■ o' where M is 
a X-term, I is an IT-context, and o is a type. IT consists of the following 
rules: 
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{Ait) 



X : a G r 
r \~iT X : fj 



{AE\t)- 
(— >• Iit) 



r \~ IT M G At 
r IT : G 
r U {a; : cr} \~it M : r 
r \~iT Xx.M : G ^ T 



, , r \~iT M : G r \~iT M : t 

(A/jt) 

r \~iT M : G A T 
E^itM-.t 



F'git M ■. 






We keep using 7T, TTi, . . . to denote the deductions of IT. Moreover, the mean- 
ing of n : r \~iT M : a is analogous to the one of II \ T \~lj 



Example 2. Let a denote the type (a A /3) A 7 and let 7 T 4 be the following 
deduction: 



(— >• Iit)- 



(aIit) 



{AE\t 



{AE[ 






^ I IT X : G 

G \~iT x ■. a A P 



X : G \~iT X : a 

X \ g\- 



{Ait) r 

( 1 >X:GhlTX-.G 



IT X : a A y 



X : G \~iT X : 7 



\~iT Xx.x : (a A d) A 7 ^ (a A 7) 
Let iTs be the following deduction: 



(— >• Iit) 



{Ait) r 

^ ' x : a \~iT X : a 

\~iT Xx.x : a — >■ a 



And finally let TTg be: 



(A//t) 



7 T 4 \\-iT Xx.x : (a A d) A 7 — >■ (a A 7) II2 Xx.x : a — >■ a 
\~IT Xx.x : ((q! a d) a 7 — >■ (a a 7)) A (a — >■ a) 



4 Intersection Logic 

In this section we introduce Intersection Logic (IL), whose derivations correspond 
to sets of derivations in LJ, sharing some similarity in the structure. The formulas 
of IL are binary trees, whose leaves are labeled by formulas of LJ. The relation 
between IL and LJ can be informally described as follows: a derivation II of IL 
groups a set, say LJ{II), of derivations of LJ. Every derivation LT G LJ{II) can 
be obtained by taking the leaf of a given path in every tree of 77. In particular, 
the elements of LJ{II) share both the number of instances and the order of 
application of the rules introducing and eliminating the connective — >■. 

We need to introduce some preliminary notions. 

Definition 5. i) A kit is a binary tree in the language generated by the fol- 
lowing grammar: K ::= a \ [K,K]. The leaves of any kit, which we call also 
atoms, are formulas of LJ. The kits are denoted by H,K. 
ii) Two kits overlap if they are two trees with exactly the same structure, but 
which may differ only on the name of their atoms; H K denotes two 
overlapping kits H and K. For example, a t. 
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Hi) Two overlapping kits map to a kit with only arrows as its leaves, by the 
function ( )■*■, defined as follows: 

[cr, r] I— >■ (T — >■ r 

[[m,H2],[Kr,K2]]+ ^ \[m,K^]+ ,[H2,K2]+] 

H ^ K denotes the result of [H,K]'^, with H cs: K. Otherwise, H ^ K is 
undefined. 

iv) A path is a string built over the set {l,r}; p,q, possibly indexed, denote 
paths, and e denotes the empty path. The subtree of a kit H at the path p is 
inductively defined as follows: 

= H, [H^,H2t^ = HI, [H^,H2V = m 

Otherwise, is undefined. 

A path p is defined in H if is defined, and it is terminal in H if is 
an atom; the set of terminal paths of a kit H is denoted by Pt{H). 

H[p := K] denotes the kit resulting from the replacement of K for HP in H. 

v) Let s € {l,r}, and let ps be a path, defined in H. The pruning of H at path 
ps, is defined as follows: H\p^ = H[p := Rp^]. 

vi) = is the syntactical identity of both atoms, kits and paths. 

By definition, we have: 

Fact 1 1. Pt{H ~^K)= Pt{H) = Pt{K); 

2. H\P K\P = {H ^ K)\P; 

3. If p and q are two different paths, then {H\p)Y = {HY)\p. 



The definition here below is about the deductive system \~piL on which we 
shall define IL. The key feature of \~piL is that every of its judgments exclu- 
sively contains overlapping kits. Intuitively, this invariance on the judgment form 
formalizes that every derivation of \~piL, being introduced, stands for a set of 
deductions of LJ, which share structural properties. 

Definition 6 (Natural deduction hp/i). The natural deduction system \~piL, 
that we call pre Intersection Logic, derives judgments P \~piL K, where P is a 
sequence of kits and K is a kit. It consists of the following rules: 



(Apil)- 



H h 



pi L 



H 



{XpJL} 



r,H, H',A 
r,H',H,A 



^ pi L 
^ pi L 



K 

1< 



{WpIL} 



.,H„^pIlH Hj~H' (l<i<n) 
Hl,...,Hr,,H' ^pIL H 



(PpIL) 



r \~piL 



K s€{Z,r} ps £ Pt{K) 
r\p“ hpiL KY^ 



(— >■ Epil)- 



P'r 



pi L 



H ^ K P'r 



pi L 



H 



Ipih) 



P, H £pjL K 
P ^piL H^K 



P 'rpiL K 
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(A-Ep/i)- 



r \-piL K[p ~ a ^T\ 

r \-piL K[p ■— <t] 






r \-piL K[p := a At] 
r hpiL K[p := r] 



{AIpil} 



Hi[p := [gi,cri]], ■.■,H„[p := ]crn,cr„]] \~piL K[p := [<J,t]\ 
Hi\p ~ ai], Hn[p ~ cr„] \-piL K[p := a At] 



where, in rule {PpiL), the notation F\p^ stands for the distribution of the pruning 
to the components of F. 



The judgments of \~piL enjoy an invariant: 

Lemma 2. If Hi,. . . ,Hn \~piL K, then Hi K (1 <i <n). 

Proof. By structural induction on the deduction of iLi, . . . , \~piL K- 

In the following definition we introduce a “decoration” of all the systems 
previously defined, inspired to the so called “Curry-Howard isomorphism”: every 
deduction H is associated to a A-term to keep track of some structural properties 
of H. Note that this decoration is not standard: the A-term associated to H is 
untyped, and does not encode the whole structure of H, but just the order of 
the occurrences of the rules which introduce and eliminate — >■. Moreover, the 
decoration is a partial function when applied to a derivation of LJ. Indeed, a 
decoration of a proof whose last rule is (AIlj) is defined only if the derivations 
of its two premises are decorated by the same term. 



Definition 7. {LJ,pIL}, and A, B,C, ... he meta-variables for denoting 

either atoms or kits. Also, let A denote a sequence built over {A,B,C , ...}. 

i) Every H proving Z\ h* A can he decorated by a X-term T,iom(A-){n) , where 
A* is a decoration of A, and, if A* = x\ : Ai,...,Xn : An, then dom{A*) 
is the sequence x\,...,Xn- The decoration o/ h* is denoted by and is 
inductively defined as: 



H : (A*)- 






• H 



A\-,t A 

and Tx{H) = x; 

Hi-. A A 



x : 



: A\~t x: A 



(IT*)- 






1 "^ TdomiA*){Hi) : A 



A,B\-^.A V » / : B \-f Tdom{A*), xiPi) : A 

where A* is the decoration of A, x is fresh, and Tfinm(A*),x{n) = 
Tdom(A*) 

Hi : A, A B 



H : (— >■ /*)- 



A A ^ B 



, : A\-+ Tdom{A-),x{ni) : B 

* ^ Z\* h+ Xx.Tdom{A^),x(ni) :A^B 

and Tdoni{A*)(.F) = Xx.Tdom(A*),x(.Fi) t 
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n : E^) 



i7i : Z\ h* A — >■ i? TJo A 



A'r^B 

, ^ ^ ^d0Tn(zl*)(^2) : ^ 

flTid ^dom(Zl*) (-^) = ^dom(Zl*) (-^1 )^t/om(Zl*) (-^ 2 ) / 

n:{PpiL)- ^ 



KiY\...,Kr^Y^ Yil HY^ 

Xi : Ki, ...,Xn-Kn h+j^ Txi,...,x„{ni) : H 

XI : . . . ,x„ : h+ ^ T^u-,xYn) : i?V 



(-P»/l) 



ps 



and Txi,...,x„{n) = Tx^,...,xYni); 

III ■ Hi[p:= [CTi,(Ji]],...,i7„[p := [cr„,cr„]] hp/^ 

n : {MpiY K[p := [cr,r]] 

iJi[p := CTi], ...,Hn[p ■= cr„] \-piL K[p := cr A r] 



Xi : Hi[p ■= [cTi,CTi]], ...,x„ : i?„[p := [cr„,cr„]] h+^ 

,^J+ ^ Tx^,...,xYni) ■■ K[p:= [a,r]] 

xi : Hi[p := CTi], ...,Xn ■ Hn[p := (J„] h+p^ 

Txi,...,x„{ni) : K[p := (T A r] 

attc? Txi,...,xYn) = r^i,....o;„(^i); 

• wzi/i 

;i:(A7„)ALiAti2J^AAiAt±i^ 

^ ^"LJ cr A r 

77 + : Z\* h+j Td„„(4.)(77i) : a and H+ : Zi* h+^ P’dom{A*){P2') ■ t". 

IfTdom(A-)ini) = Tdom{A*){n 2 ), then the decoration is: 



(A/+ 



LJt 



l~LJ Tdom{A*){ni) : a Z\* \~LJ Tdom(A-){.n 2 ) : T 



z\* 



l~LJ Pdom(A*)(^^) • ej t\T 



where Tdom{A*)i^l) — ^dom{A*){^) ■ 

Otherwise, ifTdomiA*){ni) ^ Taom{A-)(.n 2 ), then Tdom(A*){n) does not 
exist. 

, n ■ ( 0 ) -^1 ■ ^ ^ ^ A* Tdom(A-){ni) ■ A 

a^.b ’ a* ^tTdon.iAYni)-B 

and T^om{A*)(n) = T^om(A*){ni), for all rules (o) not in the set: {(— >■ 
/*), H E,), (A,), (LL*), {PpiY, (A/*)}. 
ii) Let n he a deduction in the system h,. Then, U{II) is the set: 



\Tdom(A*)(.P) I P ■ A l~^ ^5 ) (-T^) cxists and A 
is a decoration of A} 
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Notice that, by construction, M,N € U{II) implies M and N can differ each 
other by renaming of both free and bound variables. We will call U (7T) the form 
of il. 

The next theorem shows that every derivation of \~piL corresponds to a set 
of derivations in LJ with the same form. 



Theorem 2 (Prom \~pjL to LJ). Let 77 : 77i,...,7f„ \~piL 77. For all path 
p terminal in 77, it is 11^ : 77f,...,7fP H^, and U{n^) is defined, and 

u{np) = u{n). 

Proof. By induction on 77. 



We conclude this section by a definition that eliminates unnecessary differ- 
entiations among the deductions of \~piL- In particular, it allows to consider the 
deductions of \~pi l up to the order of applications of the rules, involving the ma- 
nipulations of the kits. Equivalently, the definition here below introduces a set of 
commuting equivalences. We could get rid of them, simply by introducing new 
versions of the rules (ATf^j^), (ATf^j^), {Alpir), working in parallel on disjoint 
paths of the same kit. Our opinion is that such a solution would have obscured 
the clarity of the logical system \~pjL- 

Definition 8 (Intersection Logic). Intersection Logic, abbreviated as IL, is 
the set of all the deductions of\~piL, quotiented by the congruence 

defined as: 



{AEpjif)- 



(AP 



'pi L 



X r \-pIL K[p := Gl A Gr\ [q ~ n A Tr] 
r \-piL K[p := as][q ■■= n ATr] 
r \-piL K[p := (7s] [q := Tg/] 



{AEpjif) 



/.ps' X E \-piL K[p ■.= ai A (7r] [q := n A Tr] 

pIL) px 

E \-piL K[p := (7s] [<j := Ts'] 



[AEpixf) 



(yyj r \-pIL K[p ■.= m Aar\[q.= [Tl,Tr\ 

P pys ~ Ti /\Tr] ^ 

\-pIL K[p := (7s][(? := Tl A Tr] 

/.ps \-pIL K[p := Gl A (Jr][q ■= [ri,Tr 

E'TpiL K[p:=as][q~TiATr] 

^ ry’^' \-plL K[p := (7s] [(J := n A Tr] 



being s, s' € {I, r}, and p, q two different paths. 

An equivalence class in IL whose deductions prove 77i,...,77„ \~piL K, is 
denoted by Hi,. . ., 77„ \-jp K, or tt : Hi,. . ., 77„ \-jp K. 



Definition 8 also assures that the term decorating the conclusion of two de- 
ductions of the same equivalence class of IL are the same: 

Fact 2 7T : 77i,...,77„ \~il K implies Ta,j^..,a;„(77) = for every 

77, 77' G TT. 

So, we can safely identify Ta:i...,a:„(7'') and Ta:i,..,a:„(77), if 77 G tt. Moreover, we 
can extend our terminology to to say that 77(77) is the form of tt as well. 
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Example 3. Let a denote the formula {a/\(3)/\^. Let also the following deductions 
be given: 



Hr : (- 



(A/pii,)- 






{AEpjj^ 



(ae:^ 



'pILj 



ipIL 



I [[c, c],q] ^piL [[a, a], a] 

[[g, a], a] \-piL [[q a d, O'], q] 

[[o-,g],g] \-piL [[a,G],a] 

[[o-,a-],g] hp/i, [[g,7],«] 

g, g] \-piL [g A 7, g] 



\-piL [g — >■ (g A 7), g ^ g] 



Us : (Alpih) 



II7 :\-piL [g — >■ (g A 7), g — » g] 
bp/n (g ->• (g A 7)) A (g ->• g) 



LI9 : (- 



{Alpix)- 



(AE‘ 



{AE. 



{AE\ 



(Apil) 



[[g, g],g] \~piL [[a,o],a] 



pIL) 



[[a,a],g] hpjL [[aA^,cr],a] 



pIL) 



[[g, g],g] \~piL [[a A I 3 ,^],a] 



]g,g],g] bp/i, [[g,7],«] 



^pIL 



pIL 



[g, g] \-piL [g A 7, g] 
r — >■ (g A 7), g — >■ g] 



77 io : (Alpix) 



Eg :\-piL [g — >■ (g A 7), a ^ a] 
\-piL (g — > (g A 7)) A (g ^ g) 



As an exercise, verify that: i) Uj ^ Ug, ii) if tt is the equivalence class of 
iTy, then Ta;[7r] = Xx.x, and iii) the deductions corresponding to II7 and TIio in 
the system LJ, according to Theorem 2 , are respectively: = TTi, {U^Y = 

II2, (Lfio)'^ = -/I3, being TTi, Ug and defined in Example 1 . 



5 Strong Normalization 



In this section we shall prove that IL is strongly normalizable. This property 
follows from the strong normalizability of bp/L, proved by reducing to the anal- 
ogous property of LJ. 



Definition 9. Let s G {l,r}. 

i) The P-commuting conversions on the sequent calculus \~piL are the following 
rewriting rules: 



I pIL) jjY P ( PiL) py jjY jjy 

,r,H,H',AhpiL K 
^^^^^>r,H',H,AGpiLK 
rY,H'Y,HY,AY GpiL KY 

(P : E,H,H\AYilK 

{x^piDpy^ P\r, H'Y, AY \-piL KY 

EY,H'Y,HY,AY Yil KY 



(XpJL) 
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ry,HY h^rr.KV 



(PpIL) 



^pIL KY 

f ' T ) \-pIL K 

rr, Y 
I pIL) 



PY,H\ 



^pIL KY 



^ ^pIL KY 



^ I 
(- 



(P 1 ^ 

^ ^(P-pIL) j.y^jjy ^ 

■ PY ^PIL {H 



-pIL KY 

K)Y 



{PpIL) 



(“^ EpiY 



P ^piL H^K P hpiL H 
P ^piL K 



PY '^PiL KY 

(PpIL) 






7^\ P 



P 'PpIL H^K 



( J P \-piL K[q ■- [a,T]] 

tp . ^^'^‘^^rY^PiLK[q-.= aAT] , 

^ PII^) ^^rY)Y^piL{K[q-.= o/\r])Y ^ 



(A/, 



pIL) 



tTD \ P^piL K[q-.= [cj,T 

(^pIL)py 



)\P 



{PY)V Yil m<i--=^/\T])Y)V 



{PpIL)- 



( A IT'S ^ P ^piL K[q . oi /\ (7j- 

('\J^pIL) jP |_ „ .- Av 1 



pIL 



K[q-.= 



PY Yil {K[q := a.])V 






(A-Ep/i) 



(P it) ^ ^pIL K 


[q m A Or 




(rpIL)py 


b 

< 

b 

II 


)\P 



PY Yil {K[q := a,])\^ 



Under the standard terminology, every sequence of rules to the left of ^ is 
a P-redex, while that one to its right is a P-reduct. 
ii) A derivation free of occurrences of{PpjY is P-normal. 

Hi) We say that a class tt of IL reduces to another class Y of IL, under '^p, 
and we write tt '^p Y , if there are n G tt and II' G Y such that U '^p II' . 



Remark that the fourth and sixth P-commuting conversions exploits Fact 1. 

Lemma 3 (P-strong normalization). Every II : P \-pip H can be reduced to 
a P-normal II' : P \-pip H , under any strategy. 

Proof. Observe that the commuting conversions shift every occurrence of (Ppip) 
upwards, which, eventually, gets erased. 



Definition 10. Let s G {l,r} and II Gtt. 
i) A A-IL-redex of II is the sequence: 



Ylpir) 



Hi[p ~ [q- 1, g-i]], . ..,Hn[P'= [un,o~„]] GpiL K[p := [apOrW 
Hi[p := ui], . . . , H„[p ■.= g„] \-piL K[p ■.= ai A Ur] 

Hi\p := cri], . . . , H„\p ~ cr„] GpiL K[p := Os] 



(AEpir) 
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a) A A-IL-rewriting step on U is: 

{AEpiL 





,...,TT„ 


p := [a„,a„]] hpiL K[p := [ai,crr\] 


(AlpiL) Hi[p~af 




p := cr„] \-piL K[p := ai A (Jr\ 



{PpIL)- 



Hl[p := CTl], . . . ,Hn[p ■— On] \-pIL K\p ■— <Ts] 

Hi\p := [cti, ai ]], . . . ,Hn[p-— [ct„,ct„]] \-piL K[p ■— [oi,Or\] 



{m[p := [al,al]])\^^. . . , (H„[p := [a„, n„]])\J’^ KY‘ 

where {Hi[p := = Hi[p := Oi], with 1 < i < n, and K\p^ = 

K[p ■= Os]- 

Hi) We say that a class tt of IL reduces to another class tt' of IL, under a A-IL- 
rewriting step, and we write it tt' , if there are TT G tt and TT' G tt' such 
that TT n' ■ 



Lemma 4. Consider TT : F \~piL H and II' : F,H \~piL K. Call S'(TT, TT') the 
deductive structure, obtained by replacing the conclusion of TT for every occur- 
rence {Apip) deriving TT \-pip H , and such that TT to the left of\-pjp is free in 
TT'. Then, S{n,n') : F 'opip K. 

Proof. By structural induction on the deduction of F, TT \-pip K. 



Definition 11. Let II & tt. 

i) A — >-IL-redex of II is the sequence: 



(— >■ Epil) 



( , T \ r,H \-piL K 
Fil) pj ^ 



F\- 



pi L 



K 



ii) A — >-IL-rewriting step on IF is: 

EpiL 



/ . T •, Uo : F,H \-piL K 
ipiL) p H ^ K 



F h 



pi L 



H 



T 7 i : F 'OpiL H 



F h 



pIL 



K 



^(TTi.TTo) iThTG . 



Hi) We say that a class tt of IL reduces to another class tt' of IL, under a -A- 
IL-rewriting step, and we write tt tt' , if there are II G tt and TT' G tt' 
such that TT TT'. 



Definition 12. A deduction of IL is normal if it is free of (P), A, and -g-IL- 
redexes. 



Definition 13. ^ is the smallest contextual, reflexive and transitive closure of 
p U . 

Lemma 5. is strongly normalizing. 

Proof. The proof proceeds by exploiting the embedding of IL into LJ, which 
allows to show the number of both the — >-IL-redexes and the A-IL-redexes, of 
any derivation TT of IL, can be bound by the number of the analogous redexes of 
any projection of TT into LJ. The existence of the P-commuting conversions in 
which are strongly normalizable, is completely transparent to the embedding. 

Theorem 3. IL is strongly normalizable. 

Proof. From Definition 13 and Lemma 5. 
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6 Intersection Types and Intersection Logic 



In this section, we trace the relationship between IL and the intersection type 
system IT. On one side, every deduction tt : F \~il H corresponds to a set of 
type assignments. Every of such type assignments gives a type to the form of tt, 
which, we recall, is a A-term. The type is one of the leaves of H. On the other 
side, every type assignment {x\ : < 7 \,...,Xn '■ cr„} h/^ M : cr corresponds to a 
deduction tt : cti, ..., x : \~il <J such that M is the form of tt. 

Lemma 6 . tt : h/L K implies {xi : iLf,..,cc„ : '■ 

RP, for every p G Pt{K)- 

Proof. The proof is reduced to proving the statement: “TT : Pfi,. . Fin ^piL K 
implies {xi : H^,..,Xn : TT^} 1 -^ Tx^...x„{n) : Rp, for every p G Pt{R), and 
TT G 7 t” by induction on TT. Then, the final statement is a corollary of Fact 2 . 

In order to study the opposite direction of the correspondence between \-jl 
and h/\, we need an auxiliary lemma. 

Lemma 7 . Let assume the notations: 



Z\i = TTi,...,TT„, A2 = H[,...,H'n, A=[Hi,H[] 






Take any TTi : Z\i \~pjL Ri, and TT2 : Z\2 '^piL R2 such that Tfiom(Ai){ni) = 
Tdom(A*){n2), for every decoration Z\*,Z\2, such that dom{A\) = dom{A2). 
There is II : A [Ri,R2] such that Tj_om(A-){n) = Tj_om[Ai){ni), whenever 
dom{A*) = dom{A\). 



Proof. The proof can proceed by structural induction on TTi. As an example, we 
show the details about an instance of one of the more interesting cases. 

Let: 



(— >■ Ipir) 



Ai,K[ K'f 
hp/i K[ ^ K'l 



be the last rule of TTi. For any decorations A* and A2, such that dom{Al) = 
dom{A2), the assumption Tj^nn^(^^*-^{IIi) = Tdo„(2i*)(TT2), assures that the last 
rules of TT2 can only be an instance of (— >■ Ipir), followed by a, possibly empty, se- 
quence T?i, . . . , T?m of rules, each belonging to {(Pp/i), {Alpir), {AEpiL), {XpiL), 
{Wpir)}, and such that they apply to the paths pi,. . . ,pm of the conclusion of 
TT2. Assume: 

A2,K'2^pILK'f 
A I- K' K" 

^2 pIL -^2 -^2 



be the last (— >■ Ipir) instance of TT2, where A2 = TT(,...,TT^. Tanks to the 
Qf-equi valence on the A-terms, we can always end up with decorations such 
that dom{A\,x : R[) = dom{A2,x : R'2), for some suitable x. So, by in- 
duction, there exists a deduction TT : A, '^piL [Ki,R2], such that 

A = [TTi, TT(], . . . , [TT„, TT^^], and whose decoration is 



Tfiom{A* — T^oni,(A* ,x:K'^){Il':) • 



Now, we can firstly extend TT to TT by a (— >■ Ipir), as follows: 
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fj . , n-.A,[K[,K!,]h[K{',K!,'] 

By Definition 7, it must be = Ax.Tdo„(^._^,;^/)(i7i). To 

conclude, it is enough to apply Ri, . . . , Rm to the paths rpi , . . . , rpm of II. 

The other case, which requires some work to be proved, has (— >■ Epjj^) as last 
rule of III. 

All the remaining cases, instead, exploit the induction in the simplest way. 

Lemma 8. II : {xi : a\, . . . ,x„ : cr„} h/^ M : r implies tt : cti, . . . , cr„ \-jl t 
such that M = 

Proof. The proof is by induction on II. Here we limit to sketch only the not 
obvious case. Assume to prove II : {xi : ai, . . . ,x„ : cr„} M : a A t from 
the assumptions {x\ : a\,. . . ,Xn '. o"„} M : cr and {x\ : a\, . . . ,Xn : cr„} 

M : T. By induction, we get both ui, . . . , cr„ \-il o’ and ui, . . . , cr„ \~il t. Then, 
Lemma 7 implies [cti, cti], . . . , [an, cr„] \~il [a, r], to which we can apply (Al/i) 
to conclude. 

Definition 14. A judgment Ki , . . . , \~il H is proper if, and only if, H and 
every Ki is an atom. 

We are finally in the position to relate IL and IT: 

Theorem 4. tt : \~il t if, and only if, xi : o\,...,Xn '■ a„ \~a 

Txj...xni'^) ■ T, for every tt : cti, . . . , (t„ \~il t proper. 

Proof. Directly from Lemma 6 and Lemma 8. 



Example j. Let tt be the equivalence class which ilg (or TTio) in Example 3 
belongs to. The corresponding deduction of is 11^ of Example 2. 

The correspondence between IL and IT allows to derive for free the property 
of strong normalization of the A-terms, typable in IT, with respect to the fl- 
reduction. This property has been first proved in [19]. 

Theorem 5. Let E \~a M : a. Then, M is strongly normalizable. 

Proof. The proof proceeds in two steps. Firstly, we embed the derivation of 
r \~A M ■. a into LJ, getting a derivation TT. Secondly, we assume the existence 
of a redex of M not present in the normal form of TT, getting a contradiction. 
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Abstract. We introduce a method of extending arbitrary categories by 
a terminal object and apply this method in various type theoretic set- 
tings. In particular, we show that categories that are cartesian closed 
except for the lack of a terminal object have a universal full extension 
to a cartesian closed category, and we characterize categories for which 
the latter category is a topos. Both the basic construction and its cor- 
rectness proof are extremely simple. This is quite surprising in view of 
the fact that the corresponding results for the simply typed A-calculus 
with surjective pairing, in particular concerning the decision problem for 
equality of terms in the presence of a terminal type, are comparatively 
involved. 



Introduction 

Cartesian closed categories have attracted considerable interest in theoretical 
computer science due to their close relation to the A-calculus [14,5,17]. Indeed, 
up to a certain point, cartesian closed categories and simply typed A-calculi with 
surjective pairing and terminal type (Att*) can be regarded as being essentially 
the same [14]. 

It is this terminal or unit type that we are concerned with here. Terminal 
types are a standard feature in many type systems [4] . In connection with object- 
oriented subtyping paradigms, the terminal object has been regarded as playing 
the role of a maximal type [6] . 

Now it has turned out that, rather unexpectedly, the presence of a termi- 
nal type in a A-calculus leads to severe complications concerning confluence and 
hence decidability of equality for terms [6,12]. The equivalence of A-calculi and 
cartesian closed categories offers a way around these difficulties: calling a cate- 
gory almost cartesian closed if it is cartesian closed except that it may lack a 
terminal object, one has an equivalence between A-calculi with surjective pair- 
ing (Att) on the one hand and almost cartesian closed categories on the other 
hand. Now the question whether extending a given A7r-calculus by a terminal 
type is conservative translates into the question whether each almost cartesian 
closed category can be (fully) extended by a terminal object to yield a cartesian 
closed category. One of the results presented here answers the latter question 
in the positive, thus generalizing known solutions [14,18] for the case of almost 
cartesian closed categories with only one object, commonly called C -monoids. 
(C-monoids are essentially the same as untyped A7r-calculi.) 
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The most striking aspect of this extension result is that it does not really 
depend on cartesian closedness at all; rather, it is an instance of a correspond- 
ing result for entirely arbitrary categories which, given the complexity that the 
problem assumes on the purely syntactical side, is surprisingly easy to state 
and prove. Roughly speaking, this result says that an ‘invisible’ terminal object, 
along with the ‘elements’ or ‘constant operations’ as which one may interpret 
morphisms with terminal domain, are ‘nearly’ unambiguously encoded in any 
category. This ‘nearly’ disappears gradually as one ascends through the hierar- 
chy of type systems, up to the point that, for almost cartesian closed categories, 
the terminal object can be regarded as entirely implicit (in fact, we observe on 
the side that the terminal object does not really belong to the structure of a 
cartesian closed category at all, but can rather be viewed as a ‘derived opera- 
tion’). 

At the top of the said hierarchy of type systems, we consider the question 
of when the relevant extension produces a topos (i.e. an intuitionistic type the- 
ory [14]). The result is a characterization of ‘toposes without terminal objects’ 
which shows that the classification of ‘singleton subobjects’ as well as of subob- 
jects of the terminal object is hidden in the remaining structure of a topos. 

For unexplained categorical terminology see [1,15]; all categories are assumed 
to be locally small (i.e. hom{A, B) = {/]/ : A ^ B} is a, set for all objects A, B). 

1 Adding a Terminal Object 

To start off, we are going to show, in a nutshell, that arbitrary categories admit 
rather few full extensions that add a terminal object. We fix some notation: 
1 always refers to a selected terminal object. The unique morphism A — >■ 1 is 
denoted by \a- 

Now, given any category A, there is always a trivial solution to the problem 
of extending A by a terminal object: just add a new object 1 and a single new 
morphism A — >■ 1 for each object A. However, this will rarely produce the desired 
result. In most situations, one will expect there to be morphisms 1 — >■ A as well; 
such morphisms are often called elements of A. Now such a morphism / : 1 — >■ A 
gives rise to a family of morphisms fc = fAc : C — >■ A, where C ranges over all 
objects. This family has the property that 

fc°g = fs 

for each morphism g : B ^ C — and this rather trivial observation is really all 
we need in order to solve the problem. 

Definition 1. Let A be an object in a category A. A structural element of A 
is a family (/c : C — >■ A) of morphisms, indexed over all objects C of A, such 
that fc ° 9 = Ib for each g : i? — >■ C in A. A is called structurally nonempty if 
it has a structural element. 

The class of structural elements of an object A is small, since it injects into 
hom{A, A). A structural element may be regarded as a cocone for id,A- If A has 
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a terminal object, then structural elements are essentially the same as elements. 
In particular, in that case an object A is nonempty, i.e. has an element 1 ^ A, 
iff it is structurally nonempty. 

Definition 2. A functor F : A — >■ B preserves a structural element (/c) in A 
if the family (F/c)ceOb A extends to a structural element (^d), i.e. gpc = F fc 
for each object C of A. If this is the case for all (fc), then F preserves structural 
elements. 

Note that the extension (go) is unique: any other extension {hp) must satisfy 
ho = hpA o fiD = F Ja o hn = gpA ° ho = go for each D. If B has a terminal 
object, then the structural element associated to a morphism g : 1 — >■ FA extends 
{F fc) iff 9°^-FC = F fc for each C; in this case, we say that g extends {F fc). 

In the presence of a terminal object, preservation of structural elements re- 
duces to a more familiar property: 

Proposition 3. Let F : A — >■ B 6e o functor, and let A have a terminal object. 
Then F preserves structural elements iff it preserves the terminal object. 

Proof. If F preserves structural elements, then F!i = idpi is part of a structural 
element of FI, which implies that FI is terminal. The converse implication is 
trivial. 

It suffices to check preservation of a single structural element: 

Lemma 1. Let F : A — >■ B 6e a functor, and let (fc) be a structural element 
of A in A. Lf F preserves (fc), then F preserves structural elements. 

Proof. Let (gp) be a structural element of FA that extends {F fc), and let {he) 
be a structural element of B in A. Put kp = FLa o gp for each object D in B. 
Then ( ) is a structural element of FF , and kpc = FhA^gpc = FLa^F fc = 
F{hA o fc) = Fhc for each object C in A. 

Corollary 4. // F : A ^ B is a full embedding and A contains a structurally 
nonempty object o/B, then E preserves structural elements. 

Proof. Let A be an object of A that has a structural element {fc) in B. Then 
the restriction (/c)ceObA is a structural element of A in A which is preserved 
by E. By Lemma 1, this implies the claim. 

Since full embeddings also reflect structural elements in the obvious sense, 
this has a quite striking consequence: any full extension of a category A will 
either leave the set of structural elements of each object of A essentially un- 
changed or make all objects of A structurally empty. In particular, this means 
that there are at most two ways of fully extending A by a terminal object: one 
where all objects of A become empty, and one where the elements of A are es- 
sentially the previous structural elements. We have seen above how to construct 
extensions of the first type; extensions of the (rather more interesting) second 
type always exist as well: 
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Theorem 5. Given a category A, there is an essentially unique way of fully 
extending A by a terminal object such that the resulting extension 

E : A^ A[l] 

preserves structural elements. E is universal among the functors F : A — >■ C such 
that C has a terminal object and F preserves structural elements. Moreover, E 
preserves limits. 

Proof. We begin by constructing the desired extension: let A[l] denote the full 
subcategory of Set^ spanned by the hom-functors = hom{-,A) and a 
terminal object 1, i.e. a functor that maps all objects to singleton sets. Let 
F : A — > A[l] denote the codomain restriction of the Yoneda embedding 
A — > [A°P,Set]; as such, E preserves limits ([3], 2.15.5). 1 is a terminal ob- 
ject of A[l], and natural transformations 1 — >■ El a are essentially the same as 
structural elements of A (in particular, they form a set). We regard A as an 
actual subcategory of A[l], i.e. we identify Ha with A. 

Uniqueness has been discussed above. To prove the universal property, let 
F : A — >■ C be as in the statement. In order to extend F to a functor F^ : 
A[l] — >■ C that preserves the terminal object, put F#1 = 1 and F"^!^ =^.fa- 
Given / : 1 — >■ A in A[l], i.e. a structural element (/c) of A, we have to define 
E^f as the unique element 1 — >■ FA that extends {F fc). All that remains to 
be shown is that F# preserves composition. This is clear for composites of the 
type 1. Preservation of composites h o f , where / is as above and 

h : A ^ B in A, follows from the fact that Eh o F"^/ extends {F{h o fc)). 
Finally, F{fo\c) = F fc = F*fo\pc = f o F'll'lc, where the second equality 
follows from the fact that F"^/ extends {F fc). 

Remark 6. Of course, the factorization F^ constructed in the above proof is 
unique only up to a (unique) natural isomorphism, since the terminal object of 
C is unique up to isomorphism. Therefore, the universal property determines 
A[l] uniquely up to equivalence. Corresponding remarks hold for all similar 
universality statements below. 

It is helpful to restate the construction of A[l] more explicitly: morphisms 
1 — >■ A in A[l] are structural elements / = {fc) of A. Given a morphism h : 
A — >• F in A, /i o / is the structural element (hfc)] the composite /o!g is just 
fs- 

Remark 7. If A has a structurally nonempty object U, then it is easily seen 
that structural elements of A in A are essentially the same as constant morphisms 
C/ — >■ A. Indeed, there is an alternative construction of A[l] in this case: we can 
fix a structural element (uc) of U, take 1 as a copy of U, \a = ua for each 
object A, and the constant morphisms U — >■ A as morphisms 1 — >■ A. This is 
more or less the description which drops out of the observation that the Karoubi 
envelope of a category A (i.e. the category of idempotents; see e.g. [13,14]) has 
a terminal object iff A has a structurally nonempty object U — in that case, 
the terminal object is the idempotent uu, where {uc) is as above. 
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Remark 8. As formulated in [19], categories without further structure can be 
regarded as ‘a rather bland theory of types’ - namely, a type theory that admits 
only unary functions (and constants, if we add a terminal object). For comparison 
with more complex type theories, we give an example of how preservation of 
structural elements affects the notion of ‘model’ here: consider the category A 
with a single object A and a single nontrivial morphism f : A ^ A such that 
fof = f, A ‘model’ of A, i.e. a functor from A into, say. Set, will consist of a set 
X equipped with an idempotent unary operation a. The class of models becomes 
a lot smaller if we additionally require preservation of structural elements: / ‘is’ 
a structural element of A, the preservation of which amounts to requiring that 
A yf 0 and a is constant — i.e. the restricted models are essentially pointed sets. 

A notion related to preservation of structural elements is preservation of 
structurally nonempty objects, for which there is an all-or-nothing statement 
similar to Lemma 1: 

Lemma 2. Let F : A B be a functor. If A [A] contains a structurally 
nonempty object, then F preserves structurally nonempty objects. 

Proof. Let (gs) be a structural element of FA, where A G Ob A, and let (fc) 
be a structural element of L>, where L> G Ob A. Then (FfA o gB)BeObB is a 
structural element oi FD. 

As seen in Remark 8, there are functors that preserve structurally nonempty 
objects, but not structural elements. 

Lemma 3. A functor preserves structural elements iff it preserves structurally 
nonempty objects and constant morphisms with structurally nonempty domain. 

Proof. If all objects of the domain of the functor are structurally empty, there is 
nothing to show. Otherwise, the statement is a corollary of the observation made 
in Remark 7 that structural elements can be represented by constant morphisms 
with a fixed structurally nonempty domain. 

(Functors that preserve structural elements need not preserve all constant mor- 
phisms: consider, e.g., the inclusion A ^ Set, where A ‘consists’ of the map 
{ 0 , 1 } ^{ 0 }.) 

2 Almost Cartesian Categories 

We now briefly discuss how the notions introduced above relate to cartesian 
categories (categories with finite products), i.e. to algebraic type theory [4]. The 
main upshot is that the associated functors already behave rather civil with 
respect to structural elements. 

Definition 9. A category with products of pairs is called almost cartesian. A 
functor between such categories is called almost cartesian if it preserves products 
of pairs. 
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The projections for products AxB are written i = 1,2; the factorization 
of a pair {f : C ^ A, g : C ^ B) through A x B is denoted (/, g). 

Concerning structural elements, the world is a lot simpler for almost cartesian 
functors than for arbitrary ones: 

Proposition 10. Almost cartesian functors preserve constant morphisms. 
Proof. In an almost cartesian category, a morphism f : A ^ B is constant iff 

foTT^^ = f OTT^'^. 

Corollary 11. An almost cartesian functor preserves structural elements iff it 
preserves structurally nonempty objects. 

Thus, the choice that an almost cartesian functor is facing is even more ex- 
treme than that for an arbitrary functor (cf. Lemma 1): it can either preserve 
structural elements or make all objects empty. (Note that this implies in par- 
ticular that an almost cartesian functor between cartesian categories will either 
make all objects empty or preserve the terminal object.) 

Theorem 12. If A is almost cartesian, then A ^ A[l] is universal among 
all cartesian functors T’ : A — >■ B such that B is cartesian and F preserves 
structurally nonempty objects. 

Proof. All that remains to be shown is that A[l] is cartesian. By Theorem 5, 
A[l] has a terminal object and products of pairs in A. In any category with 
terminal object, each object A is a product of A and 1 (and such products are 
preserved by any functor that preserves the terminal object). 

Remark 13. This translates nicely into the language of algebraic theories: given 
an almost cartesian category A, A[l] is a (multisorted) algebraic theory in 
the standard sense. The models of A[l] in, say. Set, i.e. the cartesian functors 
A[l] — >■ Set, are essentially the same as the almost cartesian functors A — >■ Set 
that preserve structurally nonempty objects. If we drop the latter condition, 
respectively if we admit almost cartesian functors as models of A[l], the only 
additional model that crops up is the one where all carriers are empty (of course, 
target categories other than Set will, in general, have more than one empty ob- 
ject). 

The introduction of the terminal type can be made explicit on the type 
theoretical side by introducing additional rules for term formation and equality 
in context as shown in Figure 1. It is assumed that a set of rules for an equational 
theory with pairing in a fictitious, though rather standard notation is given and 
is extended by the new rules. The fact that there are (still) two possible ways 
of adding a new terminal type 1 is reflected by the dotted line, which separates 
the common (trivial) part from the particularities of the construction of A[l] 
captured by the two rules at the bottom. 

The first of these is a new term formation rule which introduces new closed 
terms that correspond to previous structural elements. In the premises of this 
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h * : 1 



a: : 1 h a; = * : 1 



X : B \- sb - A for each type B ^ 1 
x,y: A\- t[x] = t[y] : A 
h t[*] : A 



h t[*] : A 

X : A h t[x] = tl*] : A 



Fig. 1. Terminal type rules in equational logic 



rule, use is made of the fact that a constant term of type A with a single free 
variable x : A belongs to a (uniquely determined) structural element of A iff, for 
each ‘old’ type B, there exists a term ss of type A with a single free variable 
X : B. We use the notational trick of ‘overloading’ such constant terms, allowing 
to substitute the unit constant * for x : ^ in order to obtain the required closed 
terms. The second rule asserts that these new constants actually represent the 
given structural element. 



3 Almost Cartesian Closed Categories 

The next level upwards in the hierarchy of type systems is that of A-calculi or, in 
the terminology of [4], functional type theories. As indicated in the introduction, 
such type theories correspond to cartesian closed categories. 

Definition 14. A category A is called almost cartesian closed if it is almost 
cartesian and all functors _x A have right adjoints A~ . As usual, the co-universal 
arrows for _ x A are called evaluation maps and are denoted bvab '■ B^ x A — >■ 
B; B^ is called a function space. A functor between almost cartesian closed 
categories is called almost cartesian closed if it preserves this structure (i.e. 
products of pairs and function spaces) up to isomorphism. 

For example, C-monoids as defined in [14] are one-object almost cartesian closed 
categories. 

Just as cartesian closed categories are essentially the same as Att*- 
calculi [14,4], almost cartesian closed categories are essentially the same as Att- 
calculi: given a A7r-calculus £, one can build an almost cartesian closed classifying 
category Clo(/i) from syntactic material, taking types (not contexts!) as objects 
and typed terms modulo provable equality as morphisms. Conversely, an almost 
cartesian closed category gives rise to a A7r-calculus in the shape of an inter- 
nal language [4]. (Note that the construction of the latter is necessarily slightly 
different from the one given in [14]; in particular, one has an operation symbol 
/ : Ai, . . . , An — >■ B for each morphism / : Ai x • • • x A„ B, n > 1, rather 
than only constant symbols.) 
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As laid out in [4], one of the benefits of the internal language is that it can 
be used to define morphims and prove their equality in a somewhat shorter 
notation than via (otherwise equally easy) categorical arguments. We shall use 
this facility to define a structural element of that corresponds to a given 
morphism / : A — >■ B in an almost cartesian closed category: for each object C, 
let : C — >■ be the morphism represented by the term f* = Xy:B.f{y)m 

the variable x : C (one is tempted to write f* = f, but this is impossible, since 
/ is not a term). Then (r'^) is a structural element: if 5 : I? — >■ C is a morphism, 
then o g is represented by t'^(g(z)) = /*, where z : D, hence equal to iy{j. 

We have already noticed that almost cartesian functors come quite close to 
preserving structural elements. Rather more radically. 

Proposition 15. Almost cartesian closed functors preserve structural elements. 

Proof. By Lemma 3 and Proposition 10, all that remains to be shown is that 
almost cartesian closed functors preserve structurally nonempty objects. This 
follows from Lemma 2 and the fact that objects of the form are structurally 
nonempty in any almost cartesian closed category, since they have the structural 
element 

This implies that almost cartesian closed functors between cartesian closed 
categories are cartesian closed, i.e. preserve the terminal object as well (this is, 
of course, easily seen directly). Strangely enough, this fact seems to have gone 
unnoticed up to now. 

At any rate, thanks to this observation, cartesian closed categories and carte- 
sian closed functors form a full subcategory of the category of almost cartesian 
closed categories and almost cartesian closed functors. Thus, the universality 
statement in this context is 

Theorem 16. If A is almost cartesian closed, then A[l] is the cartesian closed 
reflection of A. 

Proof. The ‘cartesian part’ follows from Theorem 12. In any cartesian category, 
the functor _ x 1 is co-adjoint (being naturally isomorphic to the identity), with 
the projection A x 1 — >■ A as evaluation map (i.e. A^ = A). Moreover, 1 x A — >■ 1 
is an evaluation map (i.e. = 1 ). 

In order to see that A[l] is cartesian closed and that A ^ A[l] is almost 
cartesian closed, it remains to be shown that A ^ A[l] preserves function 
spaces. This follows from the known fact that the Yoneda embedding has this 
property [19]. However, since the latter statement requires dealing with the 
somewhat intricate construction of exponentials in the ‘overly large’ category 
[A°P,Set], and since the recurring theme here is ‘simplicity’, we give a short 
direct proof: Taking 1 x A = A, we have to show that the co-universal property 
of evAB '■ B^ X A ^ B holds also for morphisms / : 1 x A = A ^ B. Of course, 
the associated morphism 1 — >■ B^ we are looking for is the structural element 

= {vq). It is easy to see that x A : A ^ B^ x A is really (i'^,idA), 
so that evAB ° x cl) = / follows by a calculation in the internal language: 
evAB{WA’idA){x)) = B^{x)x = f*x = f{x), where a; is a variable of type A. 
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Lastly, we have to verify that the extension A[l] — >■ B of an almost cartesian 
functor A — >■ B, where B is cartesian closed, preserves function spaces. This is 
clear, since all ‘new’ function spaces are trivial. 

In model theoretic terms. Theorem 16 implies the slogan ‘A[l] and A have 
essentially the same models’. Syntactically, the situation is, thanks to Proposi- 
tion 15, a lot simpler than for equational theories: it suffices to add a new ground 
type 1, a new symbol *, and the well-known rules 



h*:l x:ll-a; = *:l 

to a given A7r-calculus C. Let C\ denote the resulting A7r*-calculus. Explicit 
introduction of closed terms as in Figure 1 is unnecessary: a structural element 
(/c) of A is represented by the (preexisting!) closed term f^A{Xx : A.x). 

The precise relationship between C\ and the result of the categorical con- 
struction, namely, Clo(/i)[l], requires some clarification: the typed terms in con- 
text of £i are the morphisms of a classifying category Cl(£i), constructed as e.g. 
in [4] (unlike Clo(/ii), Cl(£i) has contexts as objects). Now the obvious functor 

cio(£) ^ ci(/:i) 

has the same universal property as Clo(/i) — Clo(/i)[l]: given an almost cartesian 
functor F : Clo(/i) — >■ A, where A is cartesian closed, a factorization : 
Cl(/ii) — >■ A is constructed by recursion over the structure of types and terms, 
respectively, taking 1 to a terminal object. (In other words, models of £ in A 
can be extended to models of C\ in the obvious way.) In particular, we have a 
recursively defined equivalence (cf. Remark 6) 

ci(/:i)-^cio(£)[i]. 

This leads to the following decision procedure for equality of terms in C\'. apply 
the above equivalence functor, i.e. recursively build morphisms in Clo(/i)[l] (this 
is the essence of the construction of ‘top-free’ terms outlined in the conclusion 
of [6]). If both the domain and the codomain of the result are nonterminal, then 
these morphisms are terms in C with a single free variable; thus, the problem is 
reduced to deciding equality in C. The other cases are either trivial or reducible 
to the first one by composition with \aa, where A ^ 1. 

By itself, the statement that any almost cartesian category extends to a carte- 
sian closed category (alternatively: any typed A-calculus with surjective pairing 
extends to one that has a terminal type) has hardly any claim to originality. In- 
deed, this problem has, despite its apparent triviality, received such an amount 
of previous attention that the existing solutions deserve to be listed: 

— As outlined in Remark 7, an alternative to using the Yoneda embedding for 
the construction of A[l] consists in forming a corresponding subcategory of 
the Karoubi envelope (note that, by the above, a nonempty almost cartesian 
closed category always has structurally nonempty objects.) For the case of 
C-monoids, it has been noticed by Scott [19] that the Karoubi envelope is 




438 



Lutz Schroder 



cartesian closed (see [13] for a detailed exposition), and in [14], it is pointed 
out that the terminal object and the ‘original’ reflexive object suffice. It is 
surprising that the more general observation that the same process works 
for arbitrary almost cartesian closed categories does not seem to have been 
explicitly made. 

— A rather more complicated syntactic construction which seems to work only 
in the case of C-monoids is exhibited in [18]. 

— On the side of the A-calculus, the problem is discharged in [14], Ch. 12, by 
a sketch of a method for eliminating the terminal object for purposes of 
deciding existence and equality of terms. This method is made slightly more 
explicit in the conclusion of [6]. 

— It is pointed out in [14], Ch. 13, that confluence fails for the rewrite system 
obtained by making the usual equations of Att* directed. It is comparatively 
easy to perform a ‘manual Knuth-Bendix completion’ on this system, ob- 
taining a system that is, by construction, weakly confluent. This prodecure 
is laid out in [6], where it is also shown that the resulting system is in- 
deed confluent (and thus provides a decision procedure for equality). Since 
the standard methods of establishing normalization fail, the proof of this 
statement is rather involved. 

— In the conclusion of [6], several other methods of obtaining the decidability 
and conservativity results proved there via the mentioned confluent reduction 
system are discussed, including [10,16]. 

— As an alternative to the approach of [6], it has been suggested to replace rj- 
contraction by (restricted) /^-expansion, thus obtaining a confluent reduction 
to long /3?7-normal forms for the A7r*-calculus [12]. This method is extendible 
to polymorphism [8] and even the calculus of constructions [9]. Moreover, it 
lends itself to a certain amount of modularization [7], thus allowing simpler 
proofs than ry-contraction. 

— In [11], it is more or less shown that the proper categorical models for the 
simply typed A-calculus (without terminal object or products) are closed 
subcategories of cartesian closed categories, which translates back into the 
statement that products and a terminal object can be conservatively added 
to the simply typed A-calculus. Less mysteriously put: the classiflying cate- 
gory of a simply typed A-theory [11], consisting of contexts as objects and 
tuples of typed terms in context modulo provable equality as morphisms, is 
cartesian closed. The internal language of that category in the sense of [14] is 
a A7T*-calculus which conservatively extends the originally given A-calculus. 
(Similar considerations are outlined at the end of [6].) 

What we believe is new here is the insight that the extension in question is 
unique, that this fact is not particular to cartesian closed categories, but rather 
an instance of a (very simple) statement about categories in general, and that 
the extension is in fact universal. 




Life without the Terminal Type 



439 



4 Subobject Classifiers 

The most complex type of structured category we are going to consider here is 
that of a topos; on the type theoretical side, the notion of topos corresponds to 
full intuitionistic type theory [14]. 

The most economical definition of topos for our purposes is the one suggested 
in [1]: a cartesian closed category A is a topos iff it has a subobject classifier 
T : 1 — >■ 17 in the sense that each diagram of the form 




has a pullback, and for each subobject (monomorphism) m : A ^ B, there exists 
a unique morphism m* \ B ^ Q such that 




is a pullback. It follows that A has all finite limits. 

It is clear that, in the absence of a terminal object, the element T has to be 
replaced by a structural element (Tc) of 17. The diagrams above can then be 
interpreted as equalizers of pairs (/, T b), where f : B ^ [2. The problem that 
arises is that morphisms 1 ^ B are also ‘singleton subobjects’ and therefore are 
encoded as morphisms B ^ Q. Hence the following, not entirely pleasing 

Definition 17. A structural subobject classifier is a structural element T = 
(T c) of an object 17 such that 

(i) whenever f : B ^ Q, then the pair (/, T b) has an equalizer, or for each 
object C, there exists a unique morphism h : C ^ B such that f o h = T c', 

(ii) for each subobject m : A ^ B, there exists a unique morphism m* : B ^ f2 
such that m is an equalizer of (m*, T^). 

Thus, the pullback existence condition for subobject classifiers has been 
coded in a more or less obvious way in the definition of a structural subob- 
ject classifier. However, there are still a few subtleties attached to establishing 
that subobjects m : A ^ B, where one of A and B is 1, are properly ‘classified’ 
in A[l] (recall that, in a topos, 1 may have rather a lot of subobjects!): 

Theorem 18. If f2 is a structural subobject classifier in an almost cartesian 
category A, then 12 is a subobject classifier in A[lj. 

Proof. To begin, let !p : P — >■ 1 be a subobject in A[l] (w.l.o.g., P G Ob A). 
Then the projection 

7rf ^ : C X P ^ C 
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is a monomorphism for each object C in A. Let pc be the unique morphism 
C ^ fl such that is an equalizer of (pC)Tc). Then the family p = (pc) 
is a structural element of 17: by the uniqueness requirement in Condition (ii) of 
Definition 17, it suffices to show that, given a morphism g : C ^ B in A, 7rp^ is 
an equalizer of (psg, Tc). To this end, let ft- : A — >■ (7 be a morphism such that 
PBogoh = Tc°h. Since Tq = b ° 9, the definition of pb implies that there 
exists k : A ^ B X P; the required (necessarily unique) factorizing morphism 
A — >• C X P for ft is (ft, o k). 

Generally, a morphism f : A ^ C factors through 7rp^ iff \a factors through 
!p, i.e. iff there exists A ^ P. Moreover, given a structural element p = (pb) of 
17, g equalizes {pc, T c) (i-C. pc ° 9 = ~^ C ° g) iff U equalizes (p, T) (namely, iff 
PA = T^). Thus, for C structurally nonempty (say, C = 17), !p is an equalizer 
of (p, T) iff TTp-^ is an equalizer of {pc, T c), i-C. iff p = p. 

Secondly, let / : 1 — >■ A be a subobject in A[l] associated to a structural 
element (/c) of A. Then 



Ja) : a — >■ a X a 

is a monomorphism, hence an equalizer of (T ax A, f) for some / : A x A — >■ 17. 
Put 



/* = f °{f A, id a) : a 17. 



/ is an equalizer of (/*, T^): let p : (7 — >■ A be a morphism such that f*og = 
TAog. Then fo{fA,idA)°9 = T AxAo{fA,idA)og; hence there exists g : C ^ A 
such that {idA, fA)°9 = {/a, idA) o g. It follows that g = /a o g = fc = folc, 
i.e. Ic is the (necessarily unique) factorizing morphism for g. 

It remains to be shown that /* is unique. Let / be an equalizer of {f~^, T a) 
for some /+ : A — >■ 17. Then {idA, fA) is an equalizer of (/+ o tt 2 ^,T axa)' if 
/+ o tt 2 ^ o g = T yixA o 9 for some p : (7 — >■ A x A, 



— - A 

/+ 



{idA, fA) 





H 




17 


17 



A X A 
T Axvi 



then f^ 07 ^ 2^0 g = T^oTr^'^op, so that the assumption on /+ implies n^^og = 
fc- Thus, 

p = (ttP^ o p, o p) = (ttP^ o p, fc) 

= ° 9 ,fA° °g) = {idA, fA) o o 9 , 



i.e. 7Tp"^op is the (necessarily unique) factorizing morphism for p. Now by unique- 
ness of /, /+ o = /, hence /+ = /+ o o (/^, idA ) = /*• 



Corollary 19. A[l] is a topos iff A is an almost cartesian closed category and 
has a structural subobject classifier. 
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Remark 20. There is an important intermediate step missing here: as shown 
in [20], Martin-L6f style dependent type theories are, on the categorical side, 
equivalent to locally cartesian closed categories, i.e. categories A with a terminal 
object such that all slice categories A/ A are cartesian closed. Locally cartesian 
closed categories are cartesian closed and finitely complete; every topos is locally 
cartesian closed. It is an open problem to find a reasonable characterization of 
categories A for which A[l] is locally cartesian closed; the difficulty is that the 
introduction of a terminal object (in the base category, not in the slices, which 
automatically have terminal objects) adds nontrivial new objects to the slices. 

Conclusion 

We have shown that, for arbitrary categories, there is a single way of adding a 
terminal object apart from the trivial one, and we have discussed in some depth 
how this observation relates to various type theories. In particular, we have 
demonstrated that the terminal type, although, of course, convenient, can be 
entirely ignored in the typed A-calculus whenever it causes theoretical difficulties 
such as the ones treated in [6,12]. Moreover, we have characterized the notion of 
‘topos without terminal object’, showing that not only the terminal object itself, 
but also the classification of subobjects that involve the terminal object can be 
reconstructed. 

Two main points have been stressed: the first is the unexpected rigidity which, 
even in simple contexts, governs the elements that a type may or may not have 
in possible extensions. The other is the extreme simplicity of the underlying 
constructions and arguments made possible by a categorical treatment. 

Future work will focus on obtaining similar results for dependent type theo- 
ries, i.e. locally cartesian closed categories, and polymorphic type theories (cov- 
ered in [6]), which, on the categorical side, correspond to a suitable class of 
hyperdoctrines [21]. Moreover, it should be investigated how this work relates 
to singleton types as featured e.g. in [2]. 
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Abstract. We show how to build a fully complete model for the maximal 
theory of the simply typed A-calculus with k ground constants, Xk- This 
is obtained by linear realizability over an affine combinatory algebra of 
partial involutions from natural numbers into natural numbers. For sim- 
plicitly, we give the details of the construction of a fully complete model 
for Xk extended with ground permutations. The fully complete minimal 
model for Xk can be obtained by carrying out the previous construction 
over a suitable subalgebra of partial involutions. The full completeness 
result is then put to use in order to prove some simple results on the 
maximal theory. 



Introduction 

A categorical model of a type theory (or logic) is said to be fully- complete 
([AJ94a]) if, for all types {formulae) A, B, all morphisms / : |A] — >• |i?], from the 
interpretation of A into the interpretation of B, are denotations of a proof-term 
of the entailment A \- B, i.e. if the interpretation function from the category 
of syntactical objects to the category of denotations is full. The notion of full- 
completeness is a counterpart to the notion of full abstraction for programming 
languages. A fully complete model indicates that there is a very tight connection 
between syntax and semantics. Equivalently, one can say that the term model 
has been made into a mathematically respectable structure. 

Over the past decade, Game Semantics has been used successfully by various 
people to define fully-complete models for various fragments of Linear Logic, 
and to give fully-abstract models for many programming languages, including 
PCF, and other functional and non-functional languages. Recently, a new tech- 
nique, called linear realizability (see [AL99,AL00]), has been proposed as a valid 
and less complex alternative to Game Semantics in providing fully complete and 
fully abstract models. In particular, this technique has been used in [AL99,AL00] 
to define a model fully complete w.r.t. the fragment of system F consisting of 

* Work partially supported by TMR Linear FMRX-CT98-0170. 
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ML polymorphic types, and in [AL99a] to provide a fully complete model for 
PCF. The linear (linear affine) realizability technique amounts to constructing 
a category of Partial Equivalence Relations (PERs) over a Linear Combinatory 
Algebra, LCA, (Affine Combinatory Algebra, ACA). This category turns out to 
be linear (affine), and to form an adjoint model with its co-Kleisli category. The 
notion of Linear (Affine) Combinatory Algebra introduced by the first author 
([Abr97]) refines the standard notion of Combinatory Algebra, in the same way 
in which intuitionistic linear (affine) logic refines intuitionistic logic. The con- 
struction of PER models from LCA’s (ACA’s) of [AL99,AL00] is quite simple 
and clear, and it yields models with extensionality properties. Many examples 
of linear combinatory algebras arise in the context of Abramsky’s categorical 
version of Girard’s Geometry of Interaction ([AJ94,Abr97,Abr96,AHS98]). 

In this paper, we define a fully complete PER model for the maximal theory 
« on Afc. Afe is the simply typed A-calculus with finitely many ground constants 
in the ground type o. The theory « equates two closed A-terms M,N of type 
Ti r„ —>■ o if and only if, for all P\ « Qi of type Ti, . . Pn ~ Qn of 

type r„, M Pi .. .Pn =/3 NQi . . .Qn. To our knowledge, our model is the first 
model of « different from the term model. 

For simplicitly, we show first how to build a fully complete minimal PER 
model AAok for the simply typed A-calculus with k ground constants extended 
with permutations of ground type. The fully complete minimal model for Afc can 
then be obtained by cutting down the combinatory algebra. The model Aiok 
for the extended language arises from the special affine combinatory algebra of 
partial involutions used in [AL99,AL00] for modeling System F. It consists, es- 
sentially, of the hierarchy of simple PERs over a PER having exactly k distinct 
equivalence classes (for any k > 2). The proof of full completeness carried out 
in this paper is based on the linear affine analysis of the intuitionistic arrow, 
which is possible in our PER category. Our proof uses a Decomposition The- 
orem, which is by now a standard tool in discussing full completeness. In the 
present case, given a partial involution which inhabits a PER interpreting a sim- 
ple type, the Decomposition Theorem allows to recover the top-level structure 
(up-to permutations) of the (possibly infinite) typed Bohm tree corresponding 
to the given partial involution. Once we have the Decomposition Theorem, in 
order to prove A-definability, we still need to rule out possibly infinite typed 
Bohm trees from the model. In order to do this, we prove an Approximation 
Theorem, and we study an intermediate PER model AAq± for Afc extended with 
a new ground constant T, intended to denote the undefined constant. A variant 
of this model. Mo, for the special case of two gound constants, T and T, has 
been used implicitly as an intermediate construction in the work of [AL99] on 
system F. 

In order to get a fully complete minimal model for Afc, we only need to cut 
down the algebra of involutions by putting an extra constraint, which allows us 
to rule out permutations from the model Mok- 

The full completeness result is then put to use to prove (or re-prove) some 
simple facts on the maximal A-theory. In particular, the Context Lemma follows 
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immediately from the full completeness of the model. Moreover, we are able to 
prove that this holds also for the simply typed (possibly infinite) Bohm trees, in 
the special case of exactly two ground constants. We give also some decidability 
results, such as whether a finite partial involution belongs to a given type. These 
give a semantical procedure to decide, in some special cases, whether two terms 
are equivalent in the maximal theory, alternative to the syntactical procedures 
by Padovani [Pad95] and Loader [Loa97]. 

The paper is organized as follows. In Section 1, we recall some definitions 
and notations concerning the simply typed A-calculus with finitely many base 
constants, the construction of a PER category over an ACA, and we present the 
special ACA of partial involutions. In Section 2 we study the PER model 
for Afc and we prove that it is fully complete and minimal w.r.t. the extended 
calculus. In Section 3, we present the construction of the fully complete and 
minimal model for the simply typed A-calculus. In Section 4, we illustrate some 
uses of the full completeness result. Conclusions and directions for future work 
appear in Section 5. 

Notation. Vectors are written in bold. For /, /' : Nat ^ Nat partial functions 
from Nat to Nat, and n,n' £ Nat, we denote, respectively, by f(n) | and by 
f(n) t the fact that / is defined on n and the fact that / is not defined (diverges) 
on n. We denote by f(n) i[; the equiconvergence predicate to be read as: 

f{n) I f'{n') I- Let X,Y be sets, then (l,x) and (r,y), where x £ X and 
y £ Y, denote elements of X + Y. Let Xi, . . . , A„ be sets, often we will omit the 
parentheses in denoting ((Ai -|- . . .) -|- A„_i) -|- A„. We will use the abbreviated 
notation (z, x), for denoting the element of Xi + . . . -I- A„ coming from an element 

X £ Xi. 

1 Preliminaries 

This section consists of two parts. In the first part, we recall some definitions and 
notations concerning the simply typed A-calculus Xk with k base constants, the 
maximal theory, and its models. In the second part, we recall the notion of affine 
combinatory algebra (ACA) [Abr97], the construction of a PER category over an 
ACA [AL99,AL00], and we present the special ACA of partial involutions. 

1.1 Simply Typed A-Calculus, Maximal Theories, Models 

Definition 1 (Afc). The class SimType of simple types over a ground type o is 
defined by: 

(SimType ^)T ::= o \ T^T. 

Raw Terms are defined as follows: 

A^ M ::= a \ X \ Xx: T.M \ MM , 

where Ci £ Constk = {ci,...,Cfc}, is the set of ground constants, x £ Var. We 
denote by the set of closed X-terms. 
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Well-typed terms. We introduce a proof system for deriving typing judge- 
ments of the form A \- M : T, where A is a type assignment, i.e. a finite list 
xi : Ti, . . . ,x„ : Tn- The rules of the proof system are the following: 

Ahcr-o A,x :T,A' \- X :T 

A,x:ThM:S AhM:T^S AhN:T 

Z\ h Ax : T.M :T^ S AWMITTS 

/3-conversion. (3-conversion between well-typed terms is the least relation gener- 
ated by the following rule and the rules for congruence closure (which we omit): 
Z\ h (Ax : T.M)N = M[N/x] : S, where A,x :T^ M : S, and A^ N :T. 

It is well-known that the maximal theory over Afe can be characterized as 
follows: 

Definition 2 (Maximal Theory on Afe). Let M,N G A. We define the equiv- 
alence «C X by induction on types as follows: 

M N iff h M : Ti T„ —>■ o, h iV : Ti T„ —>■ o, and 

VPi «Ti Ql- ■ - Pn ~T„ Qn- M Pi . . . P„ =i^ NQi . . .Qn ■ 

In this paper, we will focus on categorical models for the simply typed A- 
calculus Afe. As usual, categorical models of Xk are cartesian closed categorie, in 
which types are interpreted by objects and terms in contexts are interpreted by 
morphisms. 

Definition 3 (Fully Complete Model). A categorical model of Xk is fully 
complete if, for all simple types T and for all h : 1 ^ |T], there exists M G A^ 
such that h = \\- M \ T\, where | ] is the interpretation function in the model. 



1.2 PERs over Affine Combinatory Algebras 

In this section, we briefly recall the construction of a PER category from an 
affine combinatory algebra (ACA) (see [AL99,AL00] for more details on this 
construction). This category turns out to be affine, while its co-Kleisli category 
turns out to be cartesian closed. In particular, we focus on a combinatory algebra 
of partial involutions Apinv, and we consider the model of Xk induced by the 
cartesian closed subcategory of PERs over Apinv generated by the special PER 
Ok- This latter PER is intended to denote the ground type o. 

We start by giving the notion of affine combinatory algebra (ACA): 

Definition 4 (Affine Combinatory Algebra, [Abr97]). An affine combina- 
tory algebra A = (A,*, !) is an applicative structure (A,*) with a unary (injec- 
tive ) operation !, and distinguished elements ( combinators ) B, C, I, K, W, D, S, F 
satisfying the following equations: 

Ix = X Bxyz = x(yz) Cxyz = {xz)y Kxy = x 

Wx!y = x!y!y D!x = x Six = !!x Flxly = !{xy). 
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Proposition 1 ([AL99,AL00]). Let A = (A,*) he an ACA. We define the 
category PERjX as follows. 

Objects; PERs TZC Ax A, i.e. symmetric and transitive relations. 

Morphisms; a morphism / from TZ to S is an equivalence class of the PER 
TZ ^ S, where TZ —o S is defined by: a(fJZ -o S)f3 iff V 7 7?. 7 '. S . 
Let P be the pairing combinator, i.e. (using X-notation) P = Xxyz.zxy. Then, 
for all PERs TZ, S, letTZ® S he the PER defined by: 

(g) 5= {{Pafi, Pa'P') \aTZa' A S fi'} . 

(g) gives rise to a tensor product on PER^. We define the PER 1= {(J, J)} to be 
the tensor identity. 

Eor all TZ, we define ! TZ= {{!a,!j3) \ a TZ fi}. ! gives rise to a symmetric 
monoidal comonad {!,der,S) on PERj^, where der = [D], and 6 denotes, by 
abuse of notation, the equivalence class of the combinator 6. 

Summarizing, we have: 

- The category PERj^ is affine. 

- The co-Kleisli category {PERjf)i, induced by the comonad ! on the category 
PER_a, is cartesian closed. 

~ The categories PER^x and {PERjx) 1 form an adjoint model. 

The first author introduced in [Abr97] a basic important example of an ACA 
on the space [Nat ^ Nat] of partial functions from natural numbers into natural 
numbers. Here we briefly recall the definition of this ACA (see [AL99,AL00] for 
more details). The ACA of partial involutions, which we will consider in the next 
section, arises as subalgebra of this. 

Let us consider the space [Nat ^ Nat] of partial functions from natural 
numbers to natural numbers. For any a S [Nat ^ Nat] injective, we denote by 
a~^ the inverse of a. We start by fixing two injective coding functions t and p: 

t : Nat + Nat ^ Nat , p : Nat x Nat ^ Nat . 

The first is used in order to define application, and it allows to transform a one- 
input/one-output function into a two-input/two-output function. The latter is 
used for creating infinitely many copies of a one-input /one-output function a, i.e. 
for defining la. Application can be explained geometrically, using the language 
of “boxes and wires” which arises in the general setting of traced symmetric 
monoidal categories (see [JSV96] for an abstract treatment). Let us represent 
a one-input/one-output function a € [Nat ^ Nat] by the one-input-port/one- 
output-port box in Fig. l(i) below. In order to define the application a • fi, for 
a,fi € [Nat ^ Nat], we regard a as a two-input/two-output function via the 
coding t. In particular, t; a; t~^ : Nat -I- Nat ^ Nat -I- Nat can be described as a 
matrix of 4 one-input/one-output functions, where each entry : Nat ^ Nat, 
aij = ini]t;a]t~^;in~^ accounts for the contribution from the i-th input wire 
into the j-th output wire (see Fig. l(ii)). 

The result of the application a • /3 is the following one-input/one-output 
function (see Fig. l(iii)): a» (3 = «22 U 021 ; (/3; ceu)*; fi; ai 2 , 

where U denotes union of graph relations, and (/3; an)* denotes Un>o('^> “n)”- 
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a 







(i) 





Fig. 1. Geometrical description of linear application. 



The above formula for computing the application is essentially the Execution 
Formula from Girard’s Geometry of Interaction ([Gir89]). 

The definition of the !-operation on our applicative structure is quite simple. 
The operation ! is intended to produce, from a single copy of a, infinitely many 
copies of a. These are obtained by simply tagging each of these copies with a 
natural number, i.e. we define: la = p~^; (*c?j>^at ^ '^)lP ■ 

For the definition of the affine combinators on ([Nat ^ Nat], •, !) see [ALOOj. 

There are many possible conditions that can be imposed on partial functions 
in order to cut down the space [Nat ^ Nat], still maintaining closure under 
the application, !, and all the affine combinators. The subalgebra which we are 
interested in is obtained by considering partial involutions: 

Proposition 2. Let f : Nat Nat. f is a partial involution iff its graph is 
a symmetric relation. Let us denote by [Nat ^inv Nat] the space of partial in- 
volutions from Nat to Nat. Then Ap\nv = {[Nat ^inv Nat],»,.^ is an affine 
combinatory algebra. 

^Pinv is a highly constrained algebra. Partial involutions are reminiscent of 
the copy-cat strategies of game categories. Notice that the only computational 
effect that the combinators have is that of copying information from input to 
output wires. Partial involutions / on a set S correspond biuniquely to pair-wise 
disjoint families of subsets {a;, yf of S, where {x, y} is in the family if and only if 
f{x) = y (and hence also f{y) = x). We can think of these as abstract families 
of “axiom links” as in the proof-nets of Linear Logic. 



2 A Fully Complete Minimal Model 
for an Extended Calculus 

In this section, we define a model for Xk in a suitable subcategory of the co- 
Kleisli category of PERy^p,„^. We prove that this model is fully complete w.r.t. 
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Afc extended with constants for all transpositions ^ of type o —> o. The proof 
of full completeness will use an Approximation Theorem and an intermediate 
model, which allows for partial elements. 

We start by introducing the PER Ok on -4pinv, with k distinct equivalence 
classes. Our model is defined in the co-Klesli category of the affine category 
freely generated by Ok- 

Definition 5 (The PER Ok)- Fix distinct natural numbers (“moves”) *i, . . . 
*k, ai,...,ak- Let Ok he the PER on the combinatory algebra -4pinv consisting 
of k equivalence classes defined by: 

- Cl = {/ : Nat ^inv Nat \ /(*i) = oi A Vm yf 1. a™ ^ dom{f)} 

- Cfc = {/ : Nat ^ipv Nat \ f{*k) = ak A 'im^k. ^ dom{f)}. 

Definition 6 (Mok)- -^Ok = {GCPERo^,»o^, | J®*") be the model of Xk, 
where CCPERq^ is the co-Klesli category of the (linear) affine category freely 
generated by Ok- 

First of all notice that, by the fact that the PER Ok has only a finite number 
of equivalence classes and by extensionality of the PER model, each PER in 
CCPERo^ has only finitely many equivalence classes. Moreover, it is easy to 
check that the equivalence classes of the PER Ok — o Ok correspond to the 
permutations from Ok to Ok- he. an involution / belongs to doxa{Ok — ° Ok) if 
and only if Vc^dcy. /*Ci = Cj- Different permutations are in different equivalence 
classes of Ok —o Ok- It is standard that all permutations can be obtained by 
suitably composing elementary permutations, i.e. transpositions- Permutations 
(transpositions) of ground type are sufficient to A-define all the elements of Mok^ 
i.e. -Mok is fully complete. The proof of this fact is based on a Decomposition 
Theorem for the partial involutions in the domains of the PERs interpreting a 
simple type: 

Theorem 1 (Decomposition). Let T = Ti ^ ^ T-^i ^ o G SimType, 

n > 0, where, for all i = l,...,n, Ti = Un Uiq^ -G o- Lf f G 

dom((8)(E^.fTi]^'“— o Ofe), then 

— either f G dom(lx : T h Ci : o]^*"), for some Ci 

— or G {1, . . . , n}, 3pOk ■ L)k~°Ok permutation, and 3gi, - . - ,gq., where 
Vj G {1, . . . gj. gj G dom((g))Ei.'|ri]°‘’-o|C/y]°‘’), such that 

Tl . 

/ Ok) (con^„^^,|y,jo,;(7r”(g)(5i,...,5,ji);^p);po, , 

where, by abuse of notation, we denote representatives of equivalence classes 
of some canonical morphisms in the affine category freely generated by Ok 
by the canonical morphisms themselves- 

^ I.e. permutations which exchange exactly two elements. 
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Since the g’s appearing in the Decomposition Thereom still live (up-to un- 
currying) in a PER interpreting a simple type, we could keep on iterating the 
decomposition, expanding in turn these g’s, thus getting (up-to permutations) a 
possible infinite tree from /: 



9i 





Partial involutions which generate, under Decomposition a finite tree are eas- 
ily proved to be X-definahle. Therefore, if the Decomposition Theorem holds, in 
order to get the full completeness result, we are only left to deal with partial 
involutions generating trees whose height is infinite, which would correspond to 
infinite typed Bohm trees. The proof of Theorem 1 follows a standard pattern, 
and it is carried out in detail in Section 2.1. The proof of A-definability uses the 
Decomposition Theorem, and two furher ingredients: an Approximation Theo- 
rem, and an intermediate model. These are discussed in Section 2.2. From the 
A-definability result, we have immediately: 

Theorem 2 (Full Completeness for an Extended Language). The model 
Aiok complete and minimal w.r.t. Xk, enriched with constants for all 

transpositions ^ of type o — >■ o. 

Notice that we use the full completeness result in order to show that Aiok 
is minimal, ie. it realizes the maximal theory on the extended calculus. 

2.1 Proof of the Decomposition Theorem 

Let T GSimType, and TZ= where TZ= (D(Li! TZi — o Ok, and, for all 

i = 1, . . . ,n, TZi= Ok- Let / G dom((D)L;^! TZi Ok)- We analyze 

the behaviour of / as operator in an application to arguments \g\ G ! TZ\ ,- - - , !gn G 
! TZn- I.e., let us apply the coding functions t,p of Section 1.2, in order to get 
/ : ((Nat X Nat) -I- ... -I- (Nat x Nat)) -I- Nat ^ 

((Nat X Nat) -I- ... -I- (Nat x Nat)) -I- Nat , 
where in the domain (codomain) of / there are n occurrences of Nat x Nat, 
each one corresponding to one of the n arguments to which / applies. In the 
interaction with the i-th argument !gi only the i-th occurrence of Nat x Nat in 
the domain (codomain) of / is involved. In particular, the lefthand occurrence of 
Nat in Nat x Nat refers to the copy of the argument !gi used, while the righthand 
occurence of Nat carries the values from (to) gi- 

We have two possibilities, according to the behaviour of / on the inputs 
* 1 , . - . ,*k (other input values are not relevant, by definition of the PER Ok)'- 

^ I.e. permutations which exchange exactly two elements. 
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Lemma 1. Let f G dom{TZ—o Ok), where TZ= TZi — o Ok, and, for all 

i = 1,. . . ,n, TZi= 'Si'jLilSij—o Ok- Then 



1 . 

2. 



either3*j . f{r,*j) = {r,aj) A M*k ^ q^- {{r,*k),{r,ak)) ^ dom{f) . 

I.e. / G |a; : Th Cj : of'^. 
or 3i € {1, . . . , n} such that 

(a) M *j 3io.f{r,*j) = {l,{i,{io,m))) A m = {r,yk) where yk & {*k,ak} 
and 

(b) Vf,j (f{r,*j) = {l,{i,{io,{r,*k))))_^ f{l,{i,{io,ir,ak)))) = {r,aj) A 
f{r,*j) = {l,{i,{io,{r,ak)))) ^ f{l,{i,{io,{r,*k)))) = {r,aj). 



Proof. Item 1 is easy to prove. We focus on the proof of item 2. As far as item 2a, 
one can easily show that, for any given *j, to s.t. /(r, *j) = {I, (i, (ig, rn))) and 
m = (r,yk). The proof of the fact that, for all *j, the argument i interrogated 
by / is the same is based on a “counting argument” . If we “split” the responses 
to initial questions *j among different arguments, then we lose totality, because 
of the constraints of being a partial involution. Namely, assume by contradiction 
that it is not the case that for all initial questions *j the responses are in the 
same argument. Then, for all i = 1, . . . , n 3pi s.t. 

y*j Vio G Nat. 7{r,*j) 7 {l,{i,{io,{r,Xp^)))) , for a; G {*,a}. 

Then consider constants (Kcp^ in TZi , . . . , TZn ■ Then we have 

V . / • (KcpJ . . . (Kcp„)(*j) t) he. / ^ dom(7?.— o Ok)- Contradiction. 

Finally, in order to prove item 2b, one can proceed by contradiction, and by 
case analysis. This concludes the proof of Lemma 1. □ 



Using Lemma 1 above, one can easily prove the following two lemmata: Lin- 
earization of Head Occurrence and Linear Function Extensionality. The factor- 
ization of the proof of the Decomposition Theorem in these two lemmata is 
standard, but notice the special form of Linear Function Extensionality, where 
permutations come into play. 

Lemma 2 (Linearization of Head Occurrence). Let TZ= — o Ok, 

where, for alii = 1, . . . , n, TZi= 0jLi !Sij—o Ok- Then, for all f G dom{TZ—o Ok), 
where TZ is an abbreviation for TZi, there exist i G {1, . . . ,n} and f G 

dom{Ri —oTZ—o Ok) strict, i.e. t -I- t; t; /'; -I- (r, *)) = (Z,(r, *)), 

such that f TZ (con- 7 ?,; tt” 0 zd- 7 ?,; A“^(/')) . □ 

Now we examine the structure of f . One can show that: 

Lemma 3 (Linear Function Extensionality). LetS,TZ be PERs. Then, for 
all f G dom{{S—o Ok)—o{TZ—o Ok)) strict, there exists /' G dom{TZ—oS) such 
that f Ok)-o{TZ^ Ok)) {A{{{ids-opOk) f')', ^P)) , 

where po^. is a permutation in the PER Ok — o Ok - 

The last technical lemma that we need in order to prove the Decomposition 
Theorem amounts to a general fact which follows by construction of the category 
of PERs over an ACA (see Section 1.2): 
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Lemma 4 (Uniformity of Threads). The following isomorphism holds, for 
all PERs TZ, S, 

(idi^^ders) : (/7^ -o!S ~ /7^ ^ 5) : (A[/] G /7^ -o 5 . ([/])j^, 5 ) , 

where { )h g is the canonical morphism induced by the comonad !. 

Finally, we have: 

Proof of the Decomposition Theorem 1. If case 1 of Lemma 1 applies, 
then we are done. If case 2 applies, then, by Lemma 2, there exist i G {1 , . . . ,n} 
and f G dom(7^i Ok)) s.t. / {TZ-o Ok) (con- 7 ?,; tt” (g) id- 7 ?,; T“i(/')). By 

Lemma 3, 3g,pOk S-t. f {{Si-o Ok)-o{TZ-o Ok)) d(((ids,^PoJ (g> 5 );Ap). 
Then / {TZ—o Ok) con- 7 ?; (id^.—opo^); tt” (g) g; Ap. Finally, by Lemma 4, by 
definition of the product of PERs and by the universality property of the product, 
we obtain g {TZ-oSi) ( 51 , ... , gqf)\ for some gi &Sn, ...,gq, €Siq,. □ 

2.2 Proof of A-Definability 

The proof of the A-definability property of Aiok i® quite involved and it uses an 
Approximation Theorem and an intermediate PER model for the simply 

typed A-calculus Xk with k ground constants plus an extra undefined ground 
constant _L. This model allows for partial elements {approximants) . 

The Approximation Theorem. We start by introducing the notion of ap- 
proximant of a partial involution. By repeatedly applying the Decomposition 
Theorem to a partial involution / in the model M.Oki obtain a (possibly) 
infinite typed Bohm tree (up to permutations) . The j-th approximant of / is a 
partial involution obtained by truncating at level j this tree, and by substitut- 
ing the empty partial involution for each possibly erased subtree. Notice that 
approximants are not in the model, in general. Formally: 

Definition 7 (Approximants). 

Let f G dom{TZ), where TZ= |T] for some simple type T. 

— We define the j-th tree, tj{f), of height at most j, generated from f after 
iterated applications of the Decomposition Theorem by induction on j as 
follows: 

• loif) the tree of height 0 with only a root labeled by f; 

• given the tree tj{f) of height at most j, the tree tj+\{f) is obtained 
from the tree tj{f) by expanding the possible leaves at level j via the 
Decomposition Theorem. 

— We define the j-th approximant of f, Pj{f), as the partial involution obtained 
from the tree tj{f) by substituting any partial involution at level j by the 
empty partial involution. 

By monotonicity of • we have immediately: 

Lemma 5. Let Ti T„ —>■ o G SimType, let /G dom{ (g) o Ok). 

Then Vj > 0. Pj{f) C pj+i{f) . 
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Theorem 3 (Approximation). Let T\ ^ ^ Tn ^ o be a simple type, and 



n /n 

let f € dom{ ® /|Ti] o Ok)- Then 

i—1 



n®mf'^-oOk) i\j Pj{f)) . 

i—1 

j£uj 

n A-) 

Proof. We have to show that, Mg G ^ f • g Ok i[Jj(^u,Pj(f)) * 9- I-e.: 

i) V ** . / • g(*i) t “1=^ (UjGo;Pj(/)) •9(**) t and 

ii) /•g(**) = a* 4=^ {[Jj(zu;Pj{f)) • g{*^) = - 

The implications (=1>) in i) and (4=) in ii) follow from monotonicity of • and from 
the fact that, for all j the graph of Pj{f) is contained in the graph of /. In order 
to show i)(<S=) and ii)(=l>), one can check that, if / • g{*i) = at and the result is 
obtained with a thread of length at most 2j, then Pj{f) • g{*i) = at- □ 

The PER Model 

Definition 8. Let PER model induced by the ground PER O^ 

defined as follows. Fix distinct natural numbers *i,. . .*k, oii ■ • ■ , Ofc- Let O^ be 
the PER on the ACA Ap\m consisting of k + 1 equivalence classes defined by: 

- _L= {/ : Nat ^inv Nat | Vt G {1, . . . , k}. *i, Oi ^ dom{f)} 

- Cl = {/ : Nat ^inv Nat \ f{*i) = Oi A Vm yf 1. ^ dom{f)} 

- Cfc = {/ : Nat ^inv Nat \ f{*k) = Ofe A Mm^k. a™ ^ dom{f)}. 

A4q± is a model of \-jf, i.e. the simply typed A-calculus with k ground con- 
stants plus the extra ground constant _L. In particular, approximants are in 
Mq±. The relationship with the model Mok is given by the following lemma: 

Lemma 6. Let f G dom(|T^o]^'“) . Then 

i) f € dom(|T— oo]^'“ ). 
n)3J>0. f iT^of^ pj{f). 

o 

Proof, i) Assume that / G dom(|T— oo] By the Approximation Theorem 3, 

/ ~ Uj(^u,P]if) in Moreover, for all j, pj{f) G dom(|T-oo]°‘’ ), and 

hence also UjGo;Pf(/) ^ dom(|T— oo] Then, using an argument similar 

to the one used in the proof of the Approximation Theorem, one can check 
that. Mg e IT] ^ . M *i . f • g{*i) ~ ujPjif) Hence, in particular, 

/ G dom(|T— oo|^'“ ). 

ii) By the proof of item i) of this lemma, / ^ Ujgo; Pj (/) in , and Vj. Pj (/) G 

dom( |T — oo] ) . Moreover, since |T — oo| has only finitely many equiva- 

lence classes, by Lemma 5, there exists J > 0 such that, for all mi, m 2 > J, 
Pim{f){T^of’’‘ p^^{f). Hence f pj{f) inMc>±. 



□ 
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A-Definability of M-Ou- Finally, we are in the position of proving that all 
partial involutions / G dom(|T— oo]^'‘) are A-definable. We proceed by induction 
on types. The base case is easy. Let us consider the induction step. 

By the Approximation Theorem 3, By Lemma 6ii), 

there exists J such that / ~ P.j{f) in the model Hence, using Lemma 6i), 

o 

we have, in particular, that: Vg G |T] . V . / • g{*i) — P.j{f) • g{*i) ■ 

Therefore, pj{f) ~ / in Aiok- Fet us call Pj the A-term whose interpretation 
in A4(y± is pj{f)- Two cases can arise: 

1) 3M : T, M T-free, such that PjM =pP- 

2) MM : T, M T-free, such that PjM 

If case 1 applies, then we have a contradiction, since T^ Ok- If case 2 applies, 
then one can check that Pj is equivalent in the maximal theory to any A-term P' 
obtained from Pj by substituting any constant c y^T for each possible occurrence 
of T in Pj. But then, since, by induction hypothesis. Mg G , g is A-definable, 
|P'1°*^ *9 ~ *9 in Mok, and hence ~ pj{f) -- /, i.e. / is A- 

definable. 

This concludes the proof of Theorem 2. 

3 A Fully Complete Minimal Model 
for the Simply Typed A-Calculus 

One can build a fully complete model for the simply typed A-calculus Afe, by 
getting rid of permutations in the models Mok ■ There are two ways of doing this. 
The first is “low-level”, and it amounts to cutting down the affine combinatory 
algebra of partial involutions, by placing additional constraints on the partial 
involutions, similarly to what one does in [AL99a] for getting a fully abstract 
model for PCF. Alternatively, one can define a suitable logical relation and use 
it to cut down the PER model. We briefly sketch the first technique. 

For the sake of simplicitly, let us consider, in place of the set of natural 
numbers, the following set of inductively defined moves: 

Definition 9. Let k G Nat. We define 

{Mk^)m ::= ** | a* | {l,m) \ (r,m) \ {j,m) , 
where i = 1, . . . , fc and j G Nat. 

We regard Mk as equipped with the intrinsic coding functions [l,r] : Mk + Mk — >■ 
Mk, and { , ) ■ Nat x Mk — >■ Mk- 

One could equivalently take the moves to be natural numbers (under suitable 
assumptions on coding functions), but the set simplifies the argument. We 
can immediately define a function v on moves, which, for any move m, provides 
the index i of the basic move or Oi which the move m is made up. I.e.: 

Definition 10. Let v : Mk Mk be defined as follows. For all i G Nat, for all 
m G Mk, 

= v{a^) = i 

v{{l,m)) = v{{r,m)) = v{{i,m)) = v{m). 
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Partial involutions which preserves the function v still form an affine combi- 
natory algebra. 

Proposition 3 (Full Completeness and Minimality). Let .4vpinv be the 

ajfine combinatory algebra whose carrier is the set of partial involutions f : 
Mk — >■ Mk such that, for all m G dom{f), v{f{m)) = v{m) . Then the model 
induced by the PER Ok over .4vpinv is fully complete and minimal w.r.t. Xk- 

4 Some Applications of the Full Completeness Results 

Our fully complete model provides immediately semantical proofs of some 

interesting facts concerning the maximal theory « over the simply typed A- 
calculus with or without permutations. 

Context Lemma. 

Definition 11 (Applicative Equivalence). Let x aI° be defined by 

M«"PP A VPi,...,P„ G dO. MPi...Pn=0 NPi...Pn . 

Lemma 7 (Context Lemma). The theory « admits an applicative charac- 
terization, i.e. M fa N 4=^ M «^pp N . 

The Theory on Infinitary Bohm Trees is Conservative. Let us call Aio 
the the variant of the model ■X4q± obtained by considering two ground constants, 
_L and T, and by defining the ground Sierpinski PER as follows: fix * G Nat, 
_L= {/ : Nat Nat | ^ dom(/)}, T = {/ : Nat ^|pv Nat | /(*) = *}. 

Then one can check that Mo is fully complete and minimal directly for 
the simply typed A-calculus with two ground constants. Actually Mo is a fully 
complete model for the maximal theory on the infinitary calculus, i.e. the simply 
typed, possibly infinite, Bohm trees: 

Definition 12 (Infinitary Typed Bohm Trees). We define the infinitary 
typed Bohm trees as the trees obtained as supremums of typed Bohm trees corre- 
sponding to approximants. 

Using the model Mo, we can show that, in the case of two ground constants, 
the theory over infinitary typed Bohm trees is a conservative extension of 
« w.r.t. terms in A^'", i.e.: 

Proposition 4. = «|tbt , 

where ~|tbtj denote the theory and the theory ~ restricted to the finite 

typed Bohm trees, respectively, in the case of two ground constants. 

Decidability Results. The following decidability result can be proved in Mo k- 

Theorem 4. Let TZ be a simple PER, i.e. TZ=TZi^ ... -^TZn^Ok. For all 
f : Nat — >■ Nat whose graph is finite, it is decidable whether f G dom(jV) . 

Proof. In order to decide whether / G dom(T^), it is sufficient to check the 
behaviour of / when applied to the “relevant” g G TZ, i.e. to the g’s whose 
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domains (and codomains), roughly, are contained in a suitable subset of the 

domains of h,h'. More precisely, let 

h, h! : ((Nat x Nat) + . . . + (Nat x Nat)) + Nat ^ 

((Nat X Nat) + . . . + (Nat x Nat)) + Nat 
be the partial involutions obtained from h,h' using the coding functions t,p. 
Then gi is “relevant” to h,h' if dom(gi) C {n \ 3k. G dom(/i) U 

dom(/i )}. These g’s are the only “relevant” ones for h^h' in the sense that, 
for any other “non-relevant” g, there exists g' “relevant” such that, for all *i, 
h • g{*i) — h* g'{*i) and h' • g{*i) ~ /i' • g'{*i). Since h, h' have finite graphs, 
then there are only finitely many gi, . . . , gn whose graphs are finite. We can easily 
generate all these “relevant” partial involutions (/i, At this point, we have 

to eliminate the relevant g’s which are not in dom(7?.). Moreover, we need to 
know, for all relevant gi, gl, whether gi is equivalent to g[. In order to decide this, 
we compute, in turn, the partial involutions which are relevant for gi and g[. And, 
recursively, we have to compute the relevant partial involutions of the relevant 
partial involutions, until we reach the ground PER TZ. Once we have eliminated 
those g which are not in dom(7?.), and we have divided the set of relevant g’s 
in equivalence classes, we can check, finally, the applicative behaviour of /. The 
computations h • g(*i) and h' • g(*i) always terminate, since, by definition of 
partial involution, and by the fact that the graphs of h,h' , gi, . . . , g^ are all 
finite, there cannot be an infinite (possibly cyclic) computation. Namely, the 
computation h» g{*i) either converges to Ui or diverges because h or g are not 
defined on some element. This concludes the proof. 

□ 



Using a similar argument, we can prove: 

Proposition 5. Leth M : T, \- N : T be such that |h M : ^]°^ |h N : 
have representatives with finite graphs. Then it is decidable whether M Ki N. 

However, there are very few A-terms whose interpretation is finite in the sense 
of Proposition 5 above. E.g. the identity of type ((o — >■ o) — >■ o) — >■ ((o — >■ o) — >■ o) 
has no representatives with finite graph. Intuitively, this depends on the fact 
that it can ask for any number of copies of its argument. 



5 Conclusions and Future Work 

In this paper, we have studied fully complete PER models for the maximal theory 
of the simply typed A-calculus with finitely many base constants, and we have 
seen some applications of this construction. Here we summarize a list of remarks 
and interesting issues which remain to be addressed: 

~ Following [AbrOO], we could abstract axioms for full completeness from the 
lemmata in our proof. However, these would not imply faithfulness w.r.t. the 
maximal theory, i.e. that the theory of models would be maximal. 

- One could define fully complete Game Models for Afc by considering strategies 
in the style of [AJMOO]. But, by the intensionality of the Game Semantics, these 
models would not realize the maximal theory, but rather the /Jg-theory. 




Fully Complete Minimal PER Models for the Simply Typed A-Calculus 457 



- In [LaiOO], a fully abstract translation of “Finitary /i-PCF” into the simply 
typed lambda calculus with constants is given. An interesting consequence of 
this result is that our model is also fully abstract for this finitary /i-PCF. 

- We feel that the fully complete models based on partial involutions defined in 
this paper should provide a semantical proof of the decidability of the maximal 
theory, alternative to those of Padovani and Loader. We should capitalize on the 
possibility of checking equivalence of involutions by evaluating them on finite 
sets of inputs (moves) . 

- We conjecture that the model M^±, for fc = 1, is fully complete for the 
decidable fragment of PCF called “Unary PCF” . 

- We end this paper with avery speculative comment. Partial involutions provide 
models for reversible computations ([AbrOl]). Is this related to the decidability 
of the various theories which can be modeled by partial involutions? 
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Abstract. We introduce an induction principle on complete partial or- 
ders and consider its applications to program verification and analysis 
on the real line. The highlight of this technique is that it allows one to 
make inductive arguments over continuous as well as discrete forms of 
data without ever having to distinguish between the two. 



1 Introduction 

This paper introduces an induction principle based on complete partial orders 
and certain selfmaps called ideal mappings. We first study the ideal mappings, 
including the important issue of how one proves in practice that a map is in fact 
ideal. We then proceed to the induction principle and apply it to establish the 
correctness of mergesort. One of the interesting aspects about this application 
to program verification is the ease with which this form of induction may be 
applied. Whereas in domain theory, where the usual fixed point induction [1] 
would require us to undertake the nontrivial task of realizing the algorithm as 
the least fixed point of a higher order operator, the induction principle presented 
here requires no transitional step between theory and practice: An actual ML 
program is already in the form that the theory requires. We will also see that 
it captures the usual fixed point induction as a trivial consequence. However, 
because the principle presented here is based on mappings that in general are 
not monotone, it admits applications outside the scope of domain theory, such 
as inductive proofs of the compactness and connectedness of the unit interval. 

2 Background 

A poset is a partially ordered set [1], that is, a set P together with a binary 
relation C C P'^ which is reflexive, transitive and antisymmetric. 

Definition 1. Let {P, U) be a partially ordered set. An upper bound of a subset 
S' C P is an element u G P such that s T m, for all s G S. If S C P has an 
upper bound u such that u Qv, for any upper bound v of S, then we call u the 
supremum of S and write u = [J S. 
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Definition 2. Let (-P, E) be a partially ordered set. A sequence (Xn) in F is 
increasing if E a^n+ii for all n > 1. A cpo is a poset in which every increasing 
sequence has a supremum. 

Definition 3. A function f : D ^ E between cpo’s is continuous if 

(i) / is monotone: x Q y ^ f{x) E f{y), and 

(ii) / preserves suprema of increasing sequences: If (xn) is an increasing se- 
quence in D, then 

/(U a:„) = y f{Xn)- 

nSN nSN 

We consider a few examples. 

Example 1. The set of nonnegative reals [0,oo)* in their opposite order, 

X Q y ^ X > y, 

is a cpo. If (x„) is increasing in [0,oo)*, \_\xn = limxn = inf{x„ : n € N}. 

Example 2. The interval cpo. The collection of compact intervals of the real line 
IM = {[a, &] : a, 6 G K & a < &} 
ordered under reverse inclusion 

[a, b] E [c, d] [c, cf| C [a, b] 

is a cpo. The supremum of an increasing sequence (xn) in IK is P| 

Our final example is the cpo [S'] of finite lists [6] over a set (S, <). 

Definition 4. A list over S is a function x : {l,...,n} — >■ S, for n > 0. The 
length of a list x is jdomxj. The set of all (finite) lists over S is [Sj. 

A list X can be written as [x(l), ...,a;(n)], where the empty list (the list of length 
0) is written []. We also write lists as a :: x, where a G S is the first element 
of the list a :: x, and x G [S] is the rest of the list a :: x. For example, the list 
[1,2,3] is written 1 :: [2,3]. 

Definition 5. A set AT C N is convex if a,b G K Sz a < x < b ^ x G K. Given 
a finite convex set AT C N, the map scale(AT) : {1, ..., |Ar|} — >• AT given by 

scale(AT)(i) = min AT -|- i — 1 

relabels the elements of K so that they begin with one. 

Definition 6. For x,y G [S'], a; is a sublist of y iff there is a convex subset 
K C length y} such that y o scale K = x. 
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Example 3. If L = [1, 2, 3, 4, 5, 6], then [1, 2, 3], [4, 5, 6], [3, 4, 5], [2, 3, 4], [3,4], [5] 
and [] are all sublists of L, while [1,4, 5,6], [1,3] and [2,4] are not sublists of L. 

Lemma 1. The finite lists [S'] over a set S, ordered under reverse convex con- 
tainment, 

X Qy y is a sublist of x, 

form a cpo. In fact, every increasing sequence in [S] is finite. 

The order on [S] is based on computational progress: Intuitively, it is easier to 
solve a problem on input [ ] than for any other input x, hence x C [ ] . 



3 Ideal Mappings 

The induction principle of the next section makes use of ideal splittings. 

Definition 7. A splitting on a poset is a selfmap s : P ^ P such that x C s(x), 
for all X G P. 

The fixed points of a splitting s are denoted by fix(s) = {x G P : s{x) = x}. It is 
easy to see that every splitting on a poset P has a fixed point iff P has at least 
one maximal element, that is, an element x G P such that 

tx := {y G P : X Qy} = {x}. 

However, the cpo’s used in computation always have maximal elements, so exis- 
tence of fixed points for splittings is not a concern. What is important, however, 
is finding a class of splittings whose fixed points may be calculated naturally. 

Definition 8. A splitting s : D — >■ D on a cpo D is ideal if for all sequences 
(a„) in D with s(an) E ctn+i for all n, we have s(|J a„) = jj s(an). 



Lemma 2 (Martin [6]). Let s : D ^ D be a splitting on a cpo D. Then 

(i) The map s is ideal iff for all sequences {an) with s{a„) E o,n+i, we have 

^(1 I 0.n) — I I an- 

(ii) If s is ideal, then |Js"(x) G fix(s), for all x G D. 

Now we turn to some basic techniques which enable us to prove that splittings 
are ideal. 

Lemma 3. A continuous splitting is ideal. 

In particular, if / : D — >■ I? is continuous, then its restriction to the cpo /(/) = 
{x G D : X E /(x)} is ideal. 

Lemma 4. For a cpo D, the following are equivalent: 

(i) Every splitting on D is ideal. 




A Principle of Induction 461 



(ii) The supremum of every strictly increasing sequence in D is maximal. 

Proof, (i) (ii): Let (a„) be an increasing sequence with a„ ^ fln+i for all n. 

Write a = y a„ and let m G D be any element with a Q m. Define a splitting 

s : D ^ D 

{ On+i if X = a„; 
m if X = a; 

X otherwise. 

Then |Ja„ = L|s”(ai) = a. However, the splitting s is ideal, so a G fix(s). 
This gives s(a) = a = m which proves that \_\a„ is maximal, (ii) (i): Let 
s : D ^ D he a, splitting and s(a„) C a„+i. If this sequence is eventually 
constant, its supremum is a fixed point of s, and so obviously one preserved by 
s. On the other hand, if it is not eventually constant, its supremum must be 
maximal by (ii). But 



|_| a„ C s( |_| a„) = |_| s(a„), 

n>0 n>0 n>0 

so the inequality on the left is actually an equality. □ 

Thus, by Lemma 4, every splitting on the cpo of lists [S'] is ideal. However, 
the most useful technique for establishing that a splitting is ideal is the next 
result. 

Proposition 1. Let D he a cpo with a continuous map p, \ D ^ [0, oo)* which 
is strictly monotone, that is, for all x,y G D, 

X Q y Sz px = py ^ X = y. 

If s : D ^ D is a splitting such that 

(i) There is 0 < r < 1 such that ps{x) < r ■ px, for all x G D, or 

(ii) The map po s : D ^ [0, oo)* is continuous, 

then s is ideal. 

Proof, (i) It is easy to see that any element x with /ix = 0 is maximal. If (a„) is 
a sequence with a„ C s(a„) C a„+i, then (Vn > 0) pa„+i < r~^pai. Thus, 

M(lJ«n) < To-n+i < x”/xai, 

for all n > 0. Then |Ja„ is maximal in D and so must be a fixed point. This 
proves s is ideal by Lemma 2(i). (ii) If (a„) is a sequence with a„ E s(on) E On+i, 
then 

ps{\ |a„)= lim ps{an) = p{\ |s(a„)), 



and since u U^(an). the strict monotonicity implies that these two are 
equal. □ 
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The following example of a nonmonotonic splitting will give the reader a 
better feel for the usefulness of the last proposition. Notice too the ease with 
which nonmonotonic splittings arise in practice. 

Example 4- The splitting left : IR — >• IK given by 

left [a, b] = [a, (a + b) /2] 

is not monotone. In particular, it is not continuous. However, it is easy to see 
that 

/X left [a, 6] = 

where ^ : IR — >• [0, oo)* is the length function fi[a, b] = b — a. By Prop. 1, left is 
ideal. 

For more on strictly monotone mappings like /x above, and how it is that they 
arise naturally in the study of computation on cpo’s, see [6] and [7]. 

4 Induction 

A subset P of a cpo D is called a subcpo if for every increasing sequence (a;„) in 
P, we have |Ja:„ G P, where the supremum is taken in P. A simple example of 
a subcpo is provided by the set of fixed points fix(s) of an ideal map s : D ^ D. 
Another is given by that of an inductive property. 

Definition 9. An inductive property on a cpo P is a subcpo P (Z D and two 
ideal maps I : D ^ D and r : D ^ D such that 

X £ P ^ lx G P or rx £ P 

for all cc G P. We can write an inductive property as a triple (P,l,r). 

The complement of an inductive property is a deductive property. 

Definition 10. A deductive property on a cpo P is a subset PCD and two 
ideal maps I : D ^ D and r : D ^ D such that the triple (P\P, I, r) forms an 
inductive property. We write a deductive property as a triple (P, I, r). 

Theorem 1 (Induction) . If P is an inductive property on a cpo D, then 
X £ P P C\fxC\ (fix(Z) U fix(r)) yf 0, 



for all X £ D. 

Proof. Define a splitting s : P ^ P hy 



s{x) = 



l{x) if l{x) G P; 
r{x) otherwise. 




A Principle of Induction 463 



Let (a„)„>o be a sequence in P with an E s(un) E On+i for all n. Then there 
is an infinite subsequence of (a„) named (bi), which has the same supremum as 
(a„), and for which we also have that either 



(Vz) l(b,) E bi+i & l(b,) G P 



or 

(Vz) r(6,) E fcz+i & l(b^) i P. 

In the first case, the idealness of I, combined with the fact that P is a cpo, gives 

^(U «") = = U = U = U e 

Thus, Oo E ^(U®n) = ^ ^he second case, we must have r{bi) G P, and so 

the same argument gives oq E rdJ a„) = |J a„. Finally, given a point x G P, we 
set a„ = s”x, for rz > 0, and see that 

I I s"(x) G P n fa; n (fix(/) U fix(r)), 

which finishes the proof. □ 



Corollary 1 (Deduction). If P is a deductive property on a cpo D, then 
fx n (fix(l) U fix(r)) C P x G P, 

for all X € D. 

It is interesting that induction on the naturals has the form of Theorem 1 . 

Example 5. Let p : N — >■ {T,T} be a function. The set 

P = {rz G N U {oo} : (V/c < rz) p{k) = T} 

is a subcpo of N U {oo}. The successor function 

fn+lifzzGN 
succ rz = < . „ 

( oo if rz = oo 

is ideal. If p has the property that for all rz G N, 

p(rz) = T ^ p{n + 1) = T, 

then (P, succ, succ) is an inductive property on NU{oo}. In this case. Theorem I 
says that p(0) = T p(n) = T for all rz G N. 

The connectedness of K may now be proven by induction. 
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Example 6. Let / : ffi. — >■ R be a continuous map on the real line. The set 

C{f) = {[a,b]em-.f{a)-f{b)<0} 

is subcpo of IK. by the continuity of /. The mappings left : IK — >■ IK, left [a, b] = 
[a, (a + b)/2], and right : IK — >■ IK, right[a, &] = [(a + 6)/2,6], are ideal. In 
addition, 

X G C(/) left X G C{f) or right x G C(/), 

for all X G IK. Thus, (C(/), left, right) is an inductive property on IK. By in- 
duction, if / changes sign on [a, 6], it must have at least one zero on [a, b]. This 
implies that the real line is connected. 

The proof of the induction principle reveals more than is actually stated in 
Theorem 1. Not only does it show that (3a) a G Pr\'[x fl (fix(l) Ufix(r)), it 
also reveals how to obtain such an a. At times, this is worth remembering: In 
the last example, this fixed point is a zero of the function /, and the process by 
which it is obtained is the bisection method [6]. It is also important in the next 
example. 

Example 1. Let D he & cpo with least element T (meaning (Vx) T C x). If 
f : D ^ D is continuous and P is a subcpo such that 

(i) T G P, and 

(ii) (Vcc) X € P ^ f{x) G P, 

then the least fixed point fix(/) = |J /"(T) G P. 

This is the basic fixed point induction principle of domain theory [1]. But 
what is worth pointing out is that it is a special case of Theorem 1. To see this, set 
I = r = /!/(/), where /(/) = {x € D : x Q f{x)}, and notice that {P D I{f),l,r) 
is an inductive property over /(/). Because T G P fl /(/), [J s”(T) G P, where 
s is as defined in the proof of Theorem 1. But s is nothing more than f\i(f) in 
this case, which finishes the demonstration. 

Deduction (Corollary 1) is simply a special case of the induction principle 
since (P, I, r) is deductive iff {D \ P, I, r) is inductive. However, it is an instance 
worthy of distinction. Very much in the spirit of classical induction on the natu- 
rals, it works as follows: To prove that x has property P, we need only establish 
the base case that the fixed points of I and r above x have property P. 

For instance, in the next example, we will use deduction to establish the 
compactness of the unit interval [0,1]. The essence of the argument is this: 
Because the points of [0, 1] are all compact (base case), the unit interval itself is 
compact. We should point out before proceeding that only the completeness of 
R is required to prove that IK is a cpo. 



Example 8. Let {Ua} be an open cover of [0, 1]. Consider the set 
P = {x G IK : a: can he finitely covered by {Pa}}. 
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First, if [o, b] G P, then write [a, b] C Ui = V. Because V is an open subset 
of R, 

(3e>0)oG {a — e,a + e) C V & b G {b — e,b + s) CV, 

which means {a; G IR. : \a,b] Q x Q {a — e,b + e)} C P. This implies that IR \ P 
is a subcpo of IR. Now observe that for all x G IR, 

left X G P k, right x G P ^ x G P. 

Thus, (P, left, right) is a deductive property. Finally, 

t[0, 1] n (fix(left) Ufix(right)) = {[t] : t G [0, 1]} C P, 

and so by deduction [0,1] G P 

Another application of the induction principle is to program correctness. 

5 Program Verification 

We derive the following method for verifying an algorithm: 

(i) For an algorithm a, let Oa be its domain, the set of all possible inputs, and 
let Oa := {a; G 'Oa : a works correctly on a;}. Trivially, then, Da C Oa. 

(ii) Show that Da is a deductive property over Oa. 

(iii) Use deduction to show Oa C Da. 

(iv) Conclude that a works correctly on all inputs since Oa = Oa. 

We now apply this idea to list processing algorithms on [S'] . Notice that Lemma 4 
implies that all splittings on [S] and [S]^ are ideal. In addition, all subsets of 
[S]^ and [S] are subcpo’s. Before proceeding, we need to formalize some basic 
computational aspects. 

Definition 11. The concatenation of two lists x and y is written x-y. Formally, 
it is the list x-y : {l,...,|a;| + |?/|} -G S given by (x ■ 2/)l{i,,,,,|a;|} = ^ ^md 
■ y)l{|x| + l,....|a;| + |y|} = V- 



Definition 12. If S is a poset, then we say that a list x G [S] is sorted if x is 
monotone as a map between posets. The set of all sorted lists is denoted [5]<. 

Definition 13. A permutation of a list x G [S'] is a list y G [S] for which there 
is a bijection (j) : {!,..., |x|} — >■ {!,..., |y|} such that x = y o (j). The set of all 
permutations of x is denoted by x\. 

We now use the induction principle to give a proof of the correctness of 
mergesort. There are two stages: First the verification of the merge operation, 
and then the sorting algorithm itself. Notice that we are able to work with each 
program in its natural state. 
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Example 9. Consider the the following ML program to merge two sorted lists of 
integers: 

fun merge( [ ],?/s ) = ys : int list 

I merge( xs, [ ] ) = xs 

I merge( x :: xs, y ys ) = if x < y then 

X :: merge( xs,y :: ys ) 
else 

y :: merge( x :: xs,ys ); 

(1) Identify the domain of the algorithm and define correctness. 

Omerge := { {x,y) € [int]^ : x,y € [int]<} 

□merge := { (x,y) € Omerge : merge(a;,y) G (x ■ y)! fl [int]<} 

(2) 6'how that Dmerge is a deductive property on Omerge. 

Consider the splitting 

7T : Omerge — >■ Omerge 
defined by 

={[],ys) 

7t( a;s, [ ] ) = ( xs, [ ] ) 

7t( X :: xs, y :: ys ) = { xs, y ys ) if x < y 

= { x :: xs,ys ) otherwise. 

If {x,y) € Omerge, then 

7r(x,y) € Omerge (x,y) € Omerge. 

Thus, ( Omerge, tt, tt ) is a deductive property over Omerge. 

(3) Use deduction to show that Omerge C Omerge. 

The fixed points of tt are fix(7r) = {([ ], y) : y sorted} U {(x, [ ]) : x sorted}. 
Given (x,y) G Omerge, 

t(x, y) n fix(7r) C fix(7r) C Omerge. 

Then, by deduction, (x,y) G Omerge. 

(4) Consequently, merge is a correct algorithm. 

In the next example, take(n, xs) returns the first n elements of the list xs, while 
drop(n, xs) removes the first n elements of xs and returns the remainder. 




A Principle of Induction 467 



Example 10. Consider the ML implementation of mergesort for lists of integers: 

fun sort [ ] = [ ] 

I sort [x]= [x] 

I sort xs = let val n = length xs div 2 
in merge( sort( take(n,a;s) ), 
sort( drop(n,xs) ) ) 

end; 

The domain of sort is 

Osort = [int] and Dsort := { a; G [int] : sort(x) G x! fl [int]<}. 

Now consider the splittings 

left : [int] — >■ [int] right : [int] — >■ [int] 

left xs = take(length xs div 2, xs) right xs = drop(length xs div 2, xs) 

By the correctness of merge, 

( Dsort, left, right ) is a deductive property over [int]. 

Finally, 

fix(left) = {[ ]} C Dsort 
and 

fix(right) = {[a:] : x G int} U {[ ]} C Dsort, 
which by deduction proves that Dsort = [int], i.e., sort is correct. 



6 Related Work 

As we have already mentioned implicitly numerous times, the idea most closely 
related to the one given here is fixed point induction [1]. Other versions of induc- 
tion tend to be rather specific in nature, as more often than not they focus on 
a specific data type [5], or on a specific topological space ([3], [4]). The principle 
given here emphasizes the form that inductive arguments take when looked at 
from the informatic viewpoint: A single technique enables us to reason about the 
continuous (the real line) as well as the discrete (ML programs) without ever 
drawing a distinction between the two. 

7 Presentation 

Great care has been taken to keep the mathematics as simple as possible as 
a means of enhancing applicability. However, an application like Example 8 is 
probably better dealt with using the approximation relation and the /x topology 
on HR. For more on this, see the third chapter of [6]. 




468 Keye Martin 



8 Conclusion 

An induction principle based on complete partial orders and splittings has been 
introduced. It has been shown to capture the form of the usual induction on the 
naturals, to imply the basic fixed point induction of domain theory, to admit 
proofs of the compactness of [0, 1] and the connectedness of R, and to be useful 
for establishing the correctness of algorithms in their natural state. The reason 
for this diversity of application is that it is based on nonmonotonic mappings. 
For more on splittings, their applications to numerical analysis, and the sense in 
which the “recursive part” of an algorithm may always be modeled by a splitting, 
see the author’s Ph.D. thesis [6]. 

References 

1. S. Abramsky and A. Jung, Domain theory. In S. Abramsky, D. M. Gabbay, T. S. 
E. Maibaum, editors. Handbook of Logic in Computer Science, vol. III. Oxford 
University Press, 1994. 

2. P. Aczel, An introduction to inductive definitions. In Handbook of Mathematical 
Logic, J. Barwise, Editor, North-Holland, p. 739-782. 

3. T. Coquand, Constructive topology and combinatorics. Lecture Notes in Computer 
Science, vol. 613, p. 159-164. 

4. T. Coquand, A note on the open induction principle. 
http : //www. cs . Chalmers . se/ coquand/open.ps . Z 

5. M. Escardo and T. Streicher, Induction and recursion on the partial real line with 
applications to Real PCF. Theoretical Computer Science, volume 210, number 1, 
p. 121-157, 1999. 

6. K. Martin, A foundation for computation. Ph.D. Thesis, Department of Mathe- 
matics, Tulane University, May 2000. 

http : //web . comlab . ox . ac .uk/oucl/work/keye .martin 

7. K. Martin, The measurement process in domain theory. Proceedings of the 27*^ 
International Colloquium on Automata, Languages and Programming (ICALP), 
Lecture Notes in Computer Science, vol. 1853, Springer- Verlag, 2000. 

8. L.C. Paulson, ML for the Working Programmer. Cambridge University Press, 1991. 




On a Generalisation of Herbrand’s Theorem 



Matthias Baaz and Georg Moser 



Vienna University of Technology, Institut fiir Algebra und Computermathematik, 
E118.2, Wiedner Hauptstrasse 8-10 
{baaz ,moser}@logic . at 



Abstract. In this paper we investigate the purely logical rule of term 
induction, i.e. induction deriving numerals instead of arbitrary terms. In 
this system it is not possible to bound the length of Herbrand disjunc- 
tions in terms of proof length and logical complexity of the end-formula 
as usual. The main result is that we can bound the length of the reduct 
of Herbrand disjunctions in this way. (Reducts are defined by omitting 
numerals.) 



1 Introduction 

Let 3xF{x) be an existential formula which is provable in a usual Hilbert or 
Gentzen type system of pure logic. We assert the existence of a proof U of 
length k.^ Using Herbrand’s Theorem we find a valid disjunction (called Her- 
brand disjunction) 

CiV-.-VCe (1) 

such that the Cj are instances of F{a). It is a well-known fact that c, the number 
of disjuncts, can be bounded by a primitive recursive function which depends 
only on k and the logical complexity of 3xF(x).'^ 

In this paper we take a close look on a formal first order system x*-*“‘*^ in 
the standard language C, of LK, see [20]. extends LK by the following 

valid first-order inference rule {A is quantifier-free). 

F,A{a),A^ A,A{s{a)),0 

F,A{Q),A^ ’ (2) 

This rule is called term induction, it derives a restricted term built from 
successor s and the constant 0. We call such terms numerals. (This inference 
is in stark contrast to the usual induction principles, as these derive arbitrary 
terms. T*^*™*^^ is conservative over pure logic. 

On first sight this investigation of a dependent rule seems to be a strange 
task. The reader may wonder what could possibly be gained from such an anal- 
ysis, as the inference rule (find) can be immediately replaced by a sequence of 

^ We conceive proofs as rooted trees whose vertices are sequents. The length, \H\, of 
a proof n is the number of vertices. 

^ In fact it is possible to bound c by a function that depends only on k. This follows 
from the first e-elimination theorem, cf. [12] pages 27-33, compare also [1]. 
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implications. Hence our analysis may appears to be nothing else than another 
analysis of predicate logic. This is obviously true, but beside the point. The 
difference between and LK, is not a question of logical transformability, 

but of uniform transformability: In we can no longer prove a uniform 

bound on the number of disjunctions in Herbrand disjunctions, similar to the 
one above. (We will give a proof of this fact in the next section.) 

The main result of this paper can be stated as follows. A general Herbrand 
disjunction H (for 3xT’(a;)) is a valid disjunction 

N N 

V- • V (0). (0)) V ■ • • V (0), . . . , (0)) (3) 

M H 

where the Mi are instances of F{d) and fV G IM. By removing all indicated 
numerals from the general Herbrand disjunction a disjunction is obtained whose 
length is independent on the numerals present in H . 

All (uq , . . . , ) V * * * V Myjii^ai ^ , . . . , ) (4) 

where the Oi denote arbitrary distinct free variables. We call this disjunction an 
{s,0}-matrix, or simply matrix. 

It is now possible to bound the length m by a primitive recursive function 
Ip that depends only on k and the logical complexity ld(3a;F(x)) of the end- 
formula. In particular it doesn’t depend on the height (and number) of the 
numerals contained in 3xF{x). 

This implies that we can distinguish two separate parts, namely an arith- 
metical and a logical part. The arithmetical part expresses the impact of term 
induction in 77, i.e. the possibility to derive uniformly formulas that contain arbi- 
trary numerals. On the other hand the logical part is concerned with the aspects 
of usual logical rules, only. In this respect our results are similar to standard 
results for Hilbert type systems over pure logic cf. [13,1]. 

By an extension of the argument that renders the bound on the length, we 
find a generalisation of the {s, 0}-matrix such that the depth of terms built from 
function symbols different from s is uniformly bounded. From this we obtain as 
a corollary that it is not possible in (contrary to a ‘full’ induction system, 

cf. [23]) to derive 0 3- (• • • 3- 0) = 0 uniformly in a fixed number of steps from 
Va; 0 3- a; = cc and axioms of identity. 

Moreover I - the number of ‘big’ disjunctions in 77 - is bounded by a primitive 
recursive function depending only on the maximal iteration of (tind)-inferences 
in 77 and ld(3a;7^(a;)). Note that if we restrict 77 to derivations admitting propo- 
sitional cuts only, I is already bound by the maximal iteration of (tind)-inferences 
in 77. Furthermore this bound is sharp. 

2 Herbrand Disjunctions 

in Have No Uniform Bounds 

We show that does not admit uniform bounds for the length of Her- 

brand disjunctions in the length of the proofs and the logical complexities of the 
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end formulas. Instead of showing the claim directly for Herbrand disjunctions, 
we show it w.l.o.g with respect to Herbrand sequents, a slightly more general 
concept. 

Let Qx B{x), Q G {V, 3} be a sub- formula of F. If Qx B{x) occurs positively 
(negatively) in F, then the occurrence of Q is called strong (weak) if Q = V and 
weak (strong), otherwise. 

Definition 1. Let S be a provable sequent, containing only weak quantifiers. 
VyiAi(yi), . . ■,'iVaAa(ya) 3xiSi(xi), . . . ,3xbBb(xb) 



Then a valid sequent of the form 



7li(s}, . . . , 4i), • ■ • , Aa(sl°-, ...,sZ)^Bi(t\,..., Bb(t 



wb 
1 1 



j.wb \ 
5 '^mbJ 



(ui;mj are chosen according to the length of yi,Xj) is called Herbrand sequent 



Proposition 1. does not admit uniform bounds for the length of Her- 

brand sequents. 

Proof. To prove the claim we proceed indirectly: Assume the existence of a 
function <f>, such that for every proof H of 3xF(x) in </> uniformly bounds 

the number of sequent formulas (i.e. the length) in the corresponding Herbrand 
sequent. Hence (j) is independent of the occurring parameters in 3xF(x). Consider 
the trivial proof H (P is atomic) given in Table 1 



Table 1. 



P(a) — >• P(a) P(s(a)) — >■ P(s{a)) 
P(a) D P(s(a)),P(a) P(s(a)) 

yx(P(x) D P(s(x))), P(a) — >■ P(s(a)) 
yx(P(x) D P(s(a:))),P(0) P(s"(0)) 



Obviously any Herbrand sequent of Va;(P(a;) D P{s(x))),P{0) — >■ P(s”(0)) 
has to contain - we apply the pigeon-hole principle - all n implications P(s*(0)) D 
P(s*+^(0)) in the antecedent. □ 

An immediate consequence of the example in Table 1 is that the following 
property 3/cVn F — >• A, A(s”(0)) iff h F — >• A,'ixA(x), which is sometimes 
called Kreisel’s conjecture, does not hold in 

Remark 1. Using structural skolemisation cf. [2] one can transform any proof H 
of a sequent S' to a proof H' with skolemised end-sequent such that 1 77 ' | < 1 77 1 . 
Furthermore one can transform an arbitrary sequent into a sequent in prenex 
normal form by addition suitable cuts. This is possible by an increase in proof- 
length at most quadratic in the logical complexity, cf. [3] . 
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3 Extraction of Herbrand Sequent from T*^**”^^^-Proofs 

We aim at a characterization of the Herbrand sequents of theorems in 
Assume 7T to be a proof of S in with length | iT | < k. 

A well-known result by Parikh [15] shows that the logical complexity of the 
formulas in II can be bounded by a primitive recursive function <j), depending 
only on k and Id(S'). Parikh’s argument is sufficiently general to be applied to 
rji(tind) ('Pqj. niodern presentation of the argument used in [15], see 

also [10,6,16].) We obtain 

Proposition 2. If a sequent S has a proof (in j of length k then there 

exists a proof II' , \II' \ = k, of S so that the maximal logical depth of the formulas 
in n' is bounded by 2^''ld(S') . 

Using the proposition we find a proof 77^ such that for all formulas A in 7T^, 
ld(A) < 2^^1d(S'). We introduce a notation that counts the maximal number of 
iterations of (tind)-rules in T’^*“‘^^-proofs. 

Definition 2. it(77) is defined inductively on the length of U. Assume \ II \ = 0, 

def 

then it(77) = 0. Otherwise assume it(7T) has already been defined for proofs II' , 
\n'\<k andlet\n\ = k + l. 

We proceed by case-analysis on the last inference rule Q. Assume Q is a 

def 

(tind)-rule, then it(77) = it(TT') -|- 1. Now assume otherwise Q is a binary in- 
ference rule with subproof-proofs 77i,772. Thenitfll) = max{it(77i, 7 T 2 )}. In the 
case Q is an unary rule, simple set it(iT) equal to it(77'). 

We perform a last transformation on the given proof 77^. A formula is called 
propositional if A does not contain any bounded variables. We define 

2 ? = !/ 2Li = 2^' 

The cut-degree p{II) of a proof 77 is defined by induction. Let 77^,7 =1,2 
be direct subproofs of 77. Assume the last inference rule in 77 is a Cut with 
cut-formula A. Let p(77) = max(ld(A), /9(77i), p(772)). Otherwise let p(77) = 
max(p(77i),p(772)). 

Theorem 1. Let II be a proof in Then we can transform II to a proof 

77' of the same end-sequent S such that 77' admits propositional cuts only. More- 
over 

I^'I<22W)+i) it(77') < 

The proof of the admissibility of cut-reduction is well-known, see e.g. [18]. 
Hence, it remains to prove the stated result on the iteration of (tind)-inferences. 
For our purposes it is best to follow Buss’ proof of cut-elimination [9]. Note 
that our notion of proof-length is slightly different. The first step is to transform 
77^ to a proof in which initial sequents are atomic. One can bound the length 
of the transformed proof 77^ in terms of k and Id(S'). More precisely | Tfa | < 
5 • 7 • 22'=ld(5) (= 1), cf. [2]. 
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To show the admissibility of cut-reduction it suffices to investigate a variant 
of the Reduction Lemma. The theorem then follows by induction on the cut- 
degree. 

Lemma 1. Let 7Ti,772 be derivations of Fi — >■ Ai,A,6>i; TjjTl, T 2 — >■ A 2 , re- 
spectively such that p{ni) < ld(7l). Then we can find a proof II of Ti, T 2 , A 2 — >■ 
Z\i,0i,Z\2 and \II\ < (|i7i| -|- |7T2| -I- 1)^ such that p{TI) < ld(A). Moreover 
it(7T) < it(TTi) -|-it(7T2). 

Proof. The argument centers around a case analysis of the form of the cut for- 
mulas. (We assume acquaintance with [9].) For brevity we concentrate on the 
case where the cut formula of form 3xB{x). W.l.o.g we may assume that both 
cut-formulas are not derived by weakenings. Note that no ancestor of the cut- 
formula A can be a principal formula of a (tind) -inference. Assume there exist 
k 3: right introductions for ancestors of A in II i. Consider 

S' ^ T,B{t),n 
S — >■ T, 3xB{x), 12 

We assert an enumeration of all such t: ti, ... ,tk- For each ti a proof of 
T 2 , B{ti),A 2 — >■ A 2 is obtained from II 2 . The procedure is standard. Now replace 
all sequents S — >■ T in iTi by S — >■ T~ , where T~ denotes T after removal of all 
predecessors of A. This step transforms 3: right inferences to 

^ T , B{ti), 12 
s ^ r-,f2~ 

Then the lower sequent follows from the upper sequent by a cut-inference 
with 77|. The final proof II is obtained by induction on k. The bound on the 
length of n follows as in [9]. We only need in addition the following observation: 
Suppose I iT I = k. Then it is easy to see that \P — >• Z\ | for some sequent P ^ A 
is bounded by /c 3- 1. 

It remains to prove the bound on it {II). Let Qi, . . . ,Qk be an enumeration 
of all (tind)-inferences in Hi. In II the same (tind) applications occur, but most 
likely at different places. We denote them by Q^, . . . ,Q)., respectively. It follows 
by definition that it(Qi) < it(Qi) 3- it(i72). Now the bound on it(TT') follows 
easily. □ 

Using Theorem 1 we transform 77^ to a proof 77* admitting only propositional 
cuts. We conclude that |7T*| < where p{TIi) < 2^*ld(S'). To abbreviate 

the bound for | 77* | we introduce the primitive recursive function (/?(7, Id(S')) 
^p(/ 7 i) (recall that I = 5 ■ k ■ 2^^1d(5)). For simplicity we assume that |7T*| = 
(p{k,ld{S)) = r. We denote the sequence of formulas occurring in the succedent 
(antecedent) 

Dk{0,...,0),...,Dk{s^^{0),...,s^-’^{0)) 

for arbitrary natural numbers Ni,. . . , Nqk, by (0); ■ • • > (0)) 
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Definition 3. Let T he a Herhrand sequent written as 

(0), . . . , (0)), . . . , (0), . . . , S*-(0)) ^ 

Then the sequent 

(o-l 5 ■ ■ ■ 1 O-pl) Cc{dl ^ ... j Qpc ) ^ Di (6i , . . . , , . . . , D^i^bi , . . . , bqu) 

is called an {s, 0}-matrix ofT. 



Definition 4. The {s,0}~ complexity of S, denoted as complex^'*’°^(S'), is the 
minimal length of the {s,0} -matrices of Herbrand sequents of S. 

We denote the sequence of m equal sequent formulas , . . . , by (F)™. 
The number m is called the multiplicity of F . 

Lemma 2. Let LI* , \ LI* \ = r, be a proof - admitting only propositional cuts - 
of the end-sequent S (all quantifiers are indicated) 



Vyi^i(yi), . . . ,Vt/o^a(2/a) 3xiB(a;i), . . . ,3xbB{xb) 



Then there is a proof IT' of 



{^yMyi)f\. . . , {^yaAa{ya)f'^ ^ {3xiB{x^)t,. . . , {3xbB{xb)t 

such that only quantifier-free formulas are subject to contractions. Moreover 
\n'\ < and Sfki + E’flj < r. 

Proof. By our assumptions on the form of S the initial sequents cannot con- 
tain quantifiers. Moreover (tind) and propositional inferences are applied to 
quantifier-free formulas only. By omitting all contractions on quantified formulas 
we obtain a proof W from II* fulfilling the conditions of the lemma. Obviously 
for any of these formulas the multiplicity is bounded by the number of inferences 
in n. Using induction on k it is easy to verify the claim on the proof-length of 
W. □ 

Theorem 2. Let II* , \II* \ = r, he a proof - admitting only propositional cuts 
- of the end-sequent S with it(i7*) = 1. Then we find a Herhrand sequent T of S 

such that the tuples Pk,qi; k = l,...,c;l = l,...,d denote tuples of indices 
(zi, . . . , ipk) and (ji, . . . ,jpi) chosen accordingly. 

Moreover max{pi, ... 9 i 7 7 < 7 d} < it(7T*) (note that \en.{pff) = Pk and 

len(g;) = qi) and c + d <r 
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Proof. We apply the lemma 2 to 77* to obtain a proof 77' with the denoted 
properties. We proceed by an induction on 1 77' | by a case-distinction on the last 
inference rule Q. We concentrate on the cases where Q is either a quantifier rule 
or a (tind) application. In the other cases the result follows almost trivially by 
application of the induction hypothesis. With respect to weakening rules we may 
assume w.l.o.g. that only quantifier-free formulas are introduced. 

Assume Q is a, \/-left introduction. Then, applying the induction hypothesis 
we assume the existence of a Herbrand sequent T' of the form above. Note that 
T' is already in the requested form and the rule can be omitted. 

Now assume Q is a (tind)-inference, written as (2). W.l.o.g. we conclude the 
existence of a Herbrand sequent T': 

hpCi {sP' (0 ), y, - . . , Op) , A(a) , ^-C 2 (s'?' (0) , Og',... , a,) -)> 

(s"' (0) 6„) , A(s(a) , Vg772 (s"' (0) , .... 6„) 

where sp'(O), s9'(0),s“'( 0), and s’''(0) denote suitable tuples of numerals; the 
variable a is the eigenvariable of Q. (The other variables indicated previously (i.e. 
in 77') bound variables, freed by the removal of quantifier rules in the previous 
construction of T'.) 

We obtain n different sequents T(i) by replacing the eigenvariable a in T' 
by 0, s^(0), s^(0), . . . , s”“^(0), respectively. By iterated cuts and subsequent 
contractions we derive a sequent T according to the conditions of the theorem. 
Note that the eigenvariable a may occur in the side-formulas in T(i) as in the 
construction of T' quantifier introductions above Q are omitted. Furthermore 
observe, that a can occur only at places previously bounded by quantifiers. 

By definition it(77*) is it(77o) -I- 1. By the step above the length of ‘big’ 
conjunctions and ‘big’ disjunction is increased by at most one. Hence the bound 
on it (77*) follows almost trivially. □ 

Example 1. Consider the sequent S{1). 

n 

Vxi, . . . ,Va;„ V P,(x,) D ■ ■ -,Pn{0) ^ Pi{s‘{0 )), . . . ,P„(s'(0)) 

i 

S{1) can be uniformly derived cut free, using n iterated (tind) inferences, see 
Table 2. □ 

We now argue, that S{1) cannot be derived uniformly, admitting only propo- 
sitional cuts, with less than n iterated inductions. Every Herbrand sequent of 
S{1) has the form 

n 

... V P,(s^'(0)) D F,(s(s^^(0))), . . . , Pi(0), . . . , P„(0) ^ Pi(s'(0)), . . . , Pn{s\Q)) 

i 

where G IM are arbitrary. Assume otherwise that Pi{s^'{0)) 

Pj(s(s'^'(0))) for some combination ri < ^, . . . , r„ < Z is not present. Define an 
evaluation v as follows 
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Table 2. Uniform cut-free derivation of S{1) 





i7o 

\J(Pi{ai) D P(s(aO),Pi(ai),...,PnO 


In) ->■ Pi(s(ai)), . . . , P„(s(a„)) 


V®i, . 


. . ,Xn\/) Pi{xi) D Pi{s{xi)),Pi{ai),. . 


. ,Pn(a„) ->• Pi(s(ai)), . . . , P„(s(a„)) 


Vxi, 


...,®n \J)Pi{Xi)^ Pi{s{Xi)),Pl{Q),... 


, , _Pn(d'n) -Pl(s^(0)), . . . , Pn{s{(ln)) 


V*! 


,...,x„\/)Pi{xi) D Pi{s{xi)),Pi{0),. . 


.,Pn(0)^Pl(s'(0)),...,P„(s*(0)) 



Table 3. Proof fragment Ili 



P{ai) ->• P(fli) P{s{ai)) ->• P{s{ai j) 
P{ai) D P{s{ai)),P{ai) ->• P{s{ai j) 
yxiP{xi) D P{s{xi)), P{ai) ->• P{s{ai)) 
VxiP{xi) D Pis{xi)),P{0) ^ P(s*(0)) 



t;(P,(s'=(0))) 



def 



true k < Ti 
false k > Ti 



Then v falsifies the sequent and shows that every general Herbrand disjunction 
for S{1) has to contain at least n ‘big’ disjunctions. 

Furthermore the given example shows that our arguments crucially depend 
on the fact that S{1) is in prefix normal form. 



Example 1 (continued). Consider the sequents S'{1) 



n 

V yXiP(X^) D P,{s{x,)),Pi{0), P„(0) ^ Pl{s‘{0)), Pn{s‘m 

i 



These sequents are uniformly derivable from n instances of the proof-fragment 
iTj given in Table 3 and n — 1 V-left inferences. Note that the quantifiers in S'{1) 
can be shifted outward by a single cut-inference with the sequent 

n n 

Vxi, . . . , Vx„ \f Pi{xt) D Pt{s{xi)) \fyxiP{xi) D Pi{s{x^)) 

i i 



Hence S'{1) can be uniformly transformed into S{1). This demonstrates that 
in some cases the cut-reduction necessarily increases the iterations of (tind)- 
rules. □ 



The following example shows that for the results above the restriction of 
(find) to quantifier-free formulas is necessary. We assume an extension T' of the 
system such that in T' term-induction for ifi-formulas is admissible. We 

introduce the notation = t; = </>((/)* (t)). 
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Example 2. In T' the sequent S{1) becomes provable. 

P(0,0),Vx,y {P{x,y) D P(s(a;), </>(y)) -)> 3z P(s'(0),z) 

Every Herbrand sequent H(l) for fixed I, has the form 

. . . , P(s*(0), <^*(0)) o P(s*+1(0), </>'+i(0)), . . . , P(0, 0) ^ , P(s'(0), <^'(0)) 

where 0 < i < I — 1 are arbitrary. I.e. complex^®’®^ (£'(?)) cannot be bounded 
uniformly. □ 

4 Unification and Substitution 

To be able to prove the mentioned bound on the term-depth of non-numerals, we 
apply results from unification theory, especially the theory of sorted unification. 
In this section we introduce the relevant concepts and notations. We assume 
general familiarity with unification theory. (For general background information 
on unification theory see e.g. [19,14].) 

Let U = Si = ti, . . . , Sfc = tfc be a unification problem. Then we have the 
following well-known fact [6,14]. (By t{E), E some expression, we denote the 
term-depth of E.) Let t{U) = max{r(sj = tf): 1 < z < A:}; assume the number 
of variables x in U t{x, U) > 0 (i.e. occurring at depth at least 1 in U) is n. 
If a is the m.g.u. of U, then t{U(j) < 2”r(P). Syntactic unification can be 
generalised to unification over a sorted language, see e.g. [22] for a survey on 
sorted unification. 

We extend C with a finite set S of monadic atoms, the base sorts. A sort T 
is a finite set of base sorts which denotes the intersection of the base sorts. For 
the sort 0 we write T, the top sort. We assert a mapping sort:V — >■ 2*^. T(t) is 
called a declaration if T G 5. 

The set of well-sorted terms Ts(E,V), S a sort, are inductively defined as 
(i) X G 7s(/C,V) if S' C sort(x). (ii) t G 7s(/C, V) if S{t) and S is a base sort, 
(hi) ta G 7s(/C, V) if t G Ts{E,V) and xa G Uort(^)(Af, V), for x G var(t). 
(iv) t G 7si,...,s„(/C, V) if t G Tsi{E,V) for all i. A unification problem si = 
ti, . . . ,Sk = tk is called sorted solved if it is solved syntactically by a unifier u 
and for each x G dom(cr):a:CT G Tsovt(x){E ,V) . a is then called sorted unifier. 

Note that in general sorted unification is undecidable [22]. However, we are 
only interested in particular simple sort theories, called order sorted sort theories: 
All declarations are either of the form S{xs) or S(/(xi^Sj , . . . , x„_s„)), where 
all variables are distinct. Sorted unification in order sorted sort theories is of 
unification type finitary, for a proof see [22] . 

Lemma 3. Let U = si = ti, . . . , Sk = t^ be a sorted unification problem such 
that the used sort theory is order sorted, and assume W to be the minimal and 
complete set of well-sorted unifiers of U . Then, if a € W, 

T{Ua) < 2”r(P) 

where n is the number of variables x in U, such that t{x,U) > 0. 




478 



Matthias Baaz and Georg Moser 



Proof. The proof is by induction on the employed unification rules. Similar to 
the standard unification rule-set a correct and complete set of rules for sorted 
unification can be defined. The key rule is Weakening'. 



X = t AU' — X = V At = V AU 



where x & V and t and there exists a declaration S{v') such that S G sort(a:), 
V being a renaming of v' . For each stage of the unification procedure we can define 
a partial substitution a' that consists of those pairs x i-A t where x = t is already 
sorted solved. 

The interesting part is to show that although the number of variables x, 
t{x, Ua') > 0 can increase through Weakening steps, these newly introduced 
variables can be ignored. Let {x \, . . . , x„} denote the set of variables {x: t(x, U) 
> 0}. We need not have that the variable-names in this set is fixed trough 
out the construction (contrary to ‘ordinary’ unification). Moreover, Weakening 
steps may add variables yi,...,yk distinct from xi,...,Xn to Ua' such that 
T{yi,U) However, only Weakening steps can introduce additional variables y 
with r{y, U) > 0 but these variable can occur at most once in Ua', according to 
the definition of the sort theory. Hence we can prove that although the actual set 
{x: r(x, U) > 0} changes in size, we need only consider renamings of {x \, . . . , x„}. 
The elimination of any of these variables may double the depth of Ua' . However 
this can happen only n times. □ 

The basic language C is extended with variables of sort S'. S' is a base sort, 
and Ts is defined through the declarations S(0), S(s(xg)). In the sequel we 
assume the existence of an infinite set of sorted variables 02 , s, . . .. 



5 Term Complexity of Generalisations 
of Herbrand Sequents 

In this section we show that one can define generalisations of Herbrand sequents 
relative to the complexity of the underlying {s, 0}-matrices. Let T be a Herbrand 
sequent of S. We construct a Herbrand sequent T' of S such that the term-depths 
of non-numerals in T' is bound in terms of the {s, 0}-complexity of S. To simplify 
our argumentation we revise the notation for the end-sequent S slightly. 

^1) • • • ) ^n), ■ ■ • j'^ya^aiVa'i ^1, . . . , A„) — >■ 

3xiH(xi, Ai, . . . , Ayi), . . . , 3x^H(x^, Ai, . . . , A^^) 

where the yi, . . .ya',xi, . . .xt, denote variables bound by (weak) quantifiers in 
S. The parameters occurring in S are indicated by A = Ai, . . . , A„. Let T be a 
Herbrand sequent of S written as 

Hi(s}, . . . , A), . . . , Ha(si“, . . • , s™; A)—>- 
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One can define a generalisation T' of T such that the depth of terms in T' is 
bound in the length of T and the term complexity of the sequent S. We define 
an abstraction H of T 

Ai{a \, . . . , c), . . . , Aa(aY°-, a““; c) -)> 

using free variables at,bf, Ci, respectively. This abstraction naturally induces an 
unification problem U : Let P{u\, . . . , m„), P{u'i , . . . , be atomic formulas in 
H. Assume instances = P{u \, . . . , Un)5, = P{u'i , . . . , u'jf)5 in T such that 

= R? . Then add the equations 

U\ — , . . . , Hji — 

to U . Clearly this unification problem is solvable with a m.g.u. cr sucht that 
HaS = T for some substitution 6. It follows by definition of U that Ha is valid 
iff T is valid. Moreover r{Ha) < 2W{H), where I denotes the number of variables 
in U. 

Note that in our case we cannot directly apply this reasoning as the number 
of variables in U depends on the length of T. However, this length cannot be 
bound uniformly, cf. Section 2. 

Analoguously to the abstraction of T we define the abstraction of a {s, 0}- 
matrix. Let iV be a {s, 0}-matrix of T. It is useful to denote N as 

Ai(vJ, . . . , ; A), . . . , . . . , <; A) 

Bi{wl,..., w^; A), . . . , Bb{w{ , . . . , w^; A) 

W.l.o.g. we may assume that the variables abstracting numerals in N are a = 
Oi, . . . , Up, and b = bi, . . . ,bg, respectively. In each s-formula of N we replace 
occurrences of variables ai{bj) that occur as a maximal terms by a new sorted 
variables xs- If thus all variables ai{b'f) are replaced, replace all remaining terms 
v?j{wfj,) by free variables aijz{bi' j/ z') of sort T. Otherwise at least one of 
the ai{bi') occurs in some The number of function symbols in this 

term, e.g. v^p is finite. The construction is by induction on t(uT); we concen- 
trate on the step case. Assume = /(ti, . . . , t„). We assume sort declarations 
Ai, . . . , An for the argument terms ti including one of the a. Let (zi, . . . , z„) de- 
note their indices. We add two declarations A(f(xT.i,XA*,ii, ■ ■ ■ ,XA*,i„,XT,n)); 
A(/(xt,i, , • • • , , a^T,ra)) where for each ij A* denotes the appropriate 

sort declarations. This is repeated till all occurrences of maximal terms in JV 
containing sorted variables are replaced. All remaining occurrences of maximal 
terms vfj are replaced by variables apk of sort T. 

Let c be tuples of free variables, and let S* denote the sequent S where the 
parameters are replaced by c, respectively. The size of a sequent S, size(S'), is 
the number of symbols in S. 

Theorem 3. Let T be a Herbrand sequent of S written as 

(0), . . . , s*r(0); A), . . . , ApC,(s*i(0), . . . , s**>(0); A) ^ 

^ . . . , A), . . . , • ■ • , A) 
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where p = (ii, . . . , ip); q^. = (ji, . . . ,jq). Then there exists a generalisation T' of 
T with {s, 0}-matrix G (p' < p; q' < q) 

G\ {ai^Si • ■ ■ 5 ^p' tS ! 5 • ■ • 7 -^n) 5 ■ ■ ■ 5 Gci^ai^S J • • • 1 ^p' ,S : 5 ■ ■ ■ 5 ^n) ^ 

^ Diibi^s, ■■■, bq',s] Ml, • ■ • . Mm), • • • , Dd{bi,s, • ■ • , Mi, • • • , Mm) 
such that 

t{G) < 2CompW®’°>(T).size(5'*) . 

Proof. We construct an abstraction H of the Herbrand sequent T together with 
the induced unification problem U. Let N be an {s, 0}-matrix of T. As above 
we construct an abstraction M of N. 

We transform [/ to a sorted unification problem Us- For each equation u = u' 
in U there exists a pair {P{u \, . . . , Un),P{u'i , . . . , u'„)) in P[ such that u = Ui and 
u' = ti' for some i and there exists equal instances , R? in T. By definition we 
find abstractions P{v \, . . . , Vn),P{v'i , . . . , v'^) of R^ ,Rf in N. By construction, 
in the abstraction M there exists term tuples 

abstracting vj and u', j = 1, . . . ,n respectively. Hence the equation Ui = u) in 
U can be represented by Wi = w[ in Us- 

Clearly the number of variables in Us depends only on | | < complex^'*’®^ (T) 

and the number of argument positions in S' ( < size(S*)). Now we can apply 
sorted unification. However we must not substitute for variables of sort S, hence 
we alter the unification procedure slightly. We change the definition of a (partial) 
substitution a' wrt. Us- Assume Us = x^ = s^ps) A U'g for some 1. Then the 
equation x^ = s\i/s) is ignored in the definition of a'. (It is straight-forward to 
check that this does not affect the validity of Lemma 3.) 

The unification problem Us has a solution cr, as T codifies a solution of U. 
Applying Lemma 3, the maximal term depth in Ma is bound by 2F'®)r(S*), 

where c = complex^®’°^(T), s = size(S*). The theorem follows by setting G 
Ma. □ 

6 Generalisation of Terms in T^**^*^) 

We obtain a generalisation of large terms in short T(‘“‘^Fpi-oofs as consequence 
of the last sections if these terms are large wrt. to other function symbols than 
the successor s. 

Let t be term, the we define the reduct of t informally as the term t° obtained 
from t by replacing all numerals in t by fresh free variables. 

Definition 5. Let S{a) be a sequent in prenex normal form, containing weak 
quantifiers only; let N he a {s,Q\-matrix. A term basis T{S{a),N) is a set of 
terms such that 
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1. For t € T{S{a), N) there exists a Herbrand sequent T of S{t) with {s, 0}- 
matrix N . 

2. If there exists a Herbrand sequent T of Sft') with {s, 0} -matrix N then t' = tp 
for some t € T{S{a),N). 

3. There exists a h such that if t G T{S{a),N) then T{t°) < h. 

Theorem 4. T{S{a),N) exists for any sequent in prenex normal form S with 
parameter a and any {s,Q\-matrix N . 

Proof. Collect the generalisations A' of the parameters A in the construction of 
the generalisation of a Herbrand sequent of S, cf. Theorem 3. 

Theorem 4 allows some insight into the proof complexity relation between 
term induction to ‘full’ induction w.r.t. quantifier-free formulas, where both are 
conservative over elementary arithmetic. 

Theorem 5 (cf. [23]). Using two instances of the following restricted scheme 
of identity 

t = 0 D g{f) = g{Q) (5) 

k times 

we can uniformly derive 0* 0 -I- (0 H (0 -I- 0)) = 0, from (zj 0 -I- 0 = 0, (ii) 

\/x, y,zx = yAy = zDx = z, and (Hi) \/x, y,zx-\-y = yDx = 0. 

Proof. Let ri(0 -I- 0) = 0" -I- (0"“^ -I- • • • -I- (0^ -I- 0) . . .) where 0 -I- 0 is fully 

indicated. Let r2[0 -I- 0] = 0"“^ -I- (0”“^ H h (0^ -I- (0 -I- 0)) . . .), where 0 -I- 0 in 

r2[0 -|- 0] refers only to the innermost occurring term 0-1-0. If we employ the the 
instances of (5) 0 -I- 0 = 0 D ri(0 -I- 0) = ri(0) and 0 -I- 0 = 0 D T2[0 -I- 0] = r2[0], 
together with an instance of the transitivity axiom (ii) and instances of axiom 
(i), then ri(0 -I- 0) = r2[0] is easily derivable. However, ri(0 -|- 0) = 0” -I- r2[0], 
and therefore ri(0 -I- 0) = r2[0] is nothing else than 0" -I- r2[0] = r2[0]. Hence one 
final application of axiom (iii) renders the result of the theorem. □ 

Proposition 3. Using full induction we can derive the implication (5) uni- 
formly from (i) Vx s(x) yf 0 and \/x x = x. 

This follows from the formal proof given in Table 4 together with a cut with 
the sequent — >■ 0 = 0 D 5(0) = 5(0), which is easily derivable by axiom (ii). 
However, in we obtain the following: 

Proposition 4. Assume \/x 0-\-x = x and axioms of identity present in P then 
dfcVnT^*®”®^) bfc T ^ Z\,H(0") ij(f h T ^ A,'ixA{x) 

Proof. Let S{n) denote P ^ A, H(0®®). Using Theorem 2 there exists a Herbrand 
disjunction H of S with matrix N. Given short proofs of S(n) for all n, we 
can apply Theorem 4 to conclude the existence of a term 0^ -I- 5; b some free 
variable, in T{S{a),N) such that there exists a Herbrand sequent T(0^ -I- b) of 
5(0^ -I- b). Using the validity of T(0^ -I- b) we find a proof of S{Q^ -\- b) in LK, 
hence T^*®"®^^ h T — >• Z\, VxH(0^ -I- x). Applying Vx 0 -\- x = x the result follows 
easily □ 
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Table 4. The restricted identity scheme 



s{a) / 0 s{a) / 0, a = 
a = 0 D g{a) — 
0 = 03 5 ( 0 ) 



s{a) / 0 — >■ s{a) / 0 

0 3 g(g) = g(0) ^ s(g) =03 ff(s(a)) = g(0) 
g(0) s(a) =03 g{s{a)) = g(0) 

= 5(0) ^ t = 0 3 g{t) = 5(0) 



Other properties of full induction, e.g. fast addition see [17] prevail for 



Proposition 5. Assume Vx,y x = y D s(x) = s(y),Vx 0 + x = x,\/x,y s{x + 
y) = X + s{y) C r. Then there exists fc G IN so that 

T(imd) \-^r^ s”(0) + s™(0) = s”+™(0) 
for arbitrary natural numbers n,m. 

Kreisel’s conjecture, which fails for holds if sufficiently reformulated. 

We abbreviate s(0) by 1 and define 1 + (1 • • • (1 + 1))^ proposi- 

tion follows similarly as Proposition 4. 

Proposition 6. Assume that T contains axioms sufficiently strong to derive 
rp(tmd) p ^ Vj. V = xV3yy+ 1”+^ = x. Then 

3fcVnT(*“'^) bfc P ^ Z\, A(l") ij(f h P ^ A,\JxA{x) 



7 Conclusion 

We conceive mathematical induction as a principle that states two different 
things. Firstly (i) a specific generation of terms is stipulated, secondly (ii) a 
- so-called closed world - assumption is imposed that these terms refer to all 
natural numbers. 

Term induction formulates the first aspect, and therefore an analysis allows 
a separate assessment of the different characteristics of mathematical induc- 
tion. In particular note that (variants of) term induction were already employed 
in mathematical proofs long before the concept of mathematical induction was 
introduced, c.f [11]. On the other hand note that term induction need not be re- 
stricted to (a restriction of) successor induction, it can be generalised to arbitrary 
constructor- style [8] term induction. Furthermore, the main results presented in 
this paper remain valid wrt. to this extension. 

Term induction might therefore provide additional insight in the foundation 
of mathematical induction and its application to computer science. In particular, 
further work will be dedicated towards applications in the area of inductive 
theorem proving, see e.g. [7,21,8] and in the area of automated analysis of proofs, 
cf. [3,4,5]. 





On a Generalisation of Herbrand’s Theorem 



483 



References 

1. M. Baaz. Uber den allgemeinen Gehalt von Beweisen. In Contributions to General 
Algebra 6, pages 21-29. Holder-Pichler-Tempsky, Teubner, 1988. 

2. M. Baaz and A. Leitsch. On skolemization and proof complexity. Fund. Informat- 
tcae, 20(4):353-379, 1994. 

3. M. Baaz and A. Leitsch. Gut normal forms and proof complexity. Annals of Pure 
and Applied Logic, pages 127-177, 1997. 

4. M. Baaz and A. Leitsch. Gut elimination by resolution. J. Symbolic Computation, 
1999. 

5. M. Baaz, A. Leitsch, and G. Moser. System Description: CutRes 0.1: Gut Elimi- 
nation by Resolution. 1999. 

6. M .Baaz and R. Zach. Generalizing theorems in real closed fields. Ann. of Pure 
and Applied Logics, 75:3-23, 1995. 

7. R.S. Boyer and J.S. Moore. A Computational Logic Handbook. Academia Press, 
1988. 

8. A. Bundy. The Automation of Proof By Mathematical Lnduction. Elsevier Science 
Publisher, 2001. To appear. 

9. S. R. Buss. An introduction to proof theory. In S. R. Buss, editor. Handbook of 
Proof Theory, pages 1-79. Elsevier Science, 1998. 

10. W.M. Farmer. A unification-theoretic method for investigating the fc-provability 
problem. ANAP, pages 173-214, 1991. 

11. H. Gericke. Mathematik in Antike und Orient. Springer Verlag, 1984. 

12. D. Hilbert and P. Bernays. Grundlagen der Mathematik 2. Spinger Verlag, 1970. 

13. J. Krajicek and P. Pudlak. The number of proof lines and the size of proofs in 
hrst-order logic. Arch. Math. Logic, 27:69-84, 1988. 

14. A. Leitsch. The Resolution Calculus. EATCS - Texts in Theoretical Computer 
Science. Springer, 1997. 

15. R.J. Parikh. Some results on the length of proofs. Trans. Amer. Math. Soc., pages 
29-36, 1973. 

16. P. Pudlak. The lengths of proofs. In S. Buss, editor. Handbook of Proof Theory, 
pages 547-639. Elsevier, 1998. 

17. D. Richardson. Sets of theorems with short proofs. J. Symbolic Logic, 39(2):235- 
242, 1974. 

18. H. Schwichtenberg. Some applications of cut- elimination, pages 867-897. North 
Holland, 5*^ edition, 1989. 

19. J. H. Siekmann. Unification Theory, pages 1-68. Academic Press, 1990. 

20. G. Takeuti. Proof Theory. North-Holland, Amsterdam, 2nd edition, 1980. 

21. C. Walther. Mathematical induction, volume 12, pages 122-227. Oxford University 
Press, 1994. 

22. C. Weidenbach. Sorted unification and tree automata. In Wolfgang Bibel and Pe- 
ter H. Schmitt, editors. Automated Deduction - A Basis for Applications, volume 1 
of Applied Logic, chapter 9, pages 291-320. Kluwer, 1998. 

23. T. Yukami. Some results on speed-up. Ann. Japan Assoc. Philos. Sci., 6:195-205, 
1984. 




Well-Founded Recursive Relations 



Jean Goubault-Larrecq 

LSV, ENS Cachan, 61 av. du president- Wilson, F-94235 Cachan Cedex, France 
Phone: -h33-l 47 40 24 30 Fax: -h33-l 47 40 24 64 
goubaultOlsv . ens-cachan. fr 



Abstract. We give a short constructive proof of the fact that certain bi- 
nary relations > are well-founded, given a lifting a la Ferreira-Zantema 
and a well-founded relation t>. This construction generalizes several vari- 
ants of the recursive path ordering on terms and of the Knuth-Bendix 
ordering. It also applies to other domains, of graphs, of infinite terms, of 
word and tree automata notably. We then extend this construction fur- 
ther; the resulting family of well-founded relations generalizes Jouannaud 
and Rubio’s higher-order recursive path orderings. 

Keywords: Termination, well-foundedness, path orderings, Knuth- 

Bendix orderings, A-calculus, higher-order path orderings, graphs, au- 
tomata. 



1 Introduction 

The use of well-founded orderings is a well-established technique to show that 
term rewrite systems terminate [4] . On the other hand, the tradition in A-calculus 
circles, exemplified by the Tait-Girard technique [10], is to show termination 
by structural induction on terms, backed by auxiliary well-founded inductions. 
In fact, the recursive path ordering can be proved terminating by structural 
induction on terms, as noticed in [14]. 

Prompted by [12], we wrote a direct inductive proof of the termination of 
the recursive path ordering )^rpo based on a well-founded precedence [4], 
which turned out to be surprisingly short. Our point is that this proof gener- 
alizes considerably, while remaining short and constructive, and still using only 
elementary principles of logic. Ghasing generalizations and simplifications, we 
arrived at Theorem 1, which is the core of this paper. We state it and prove it 
in Section 2. Here the use of the Goq proof assistant [1] helped us in reassuring 
ourselves that the proof was indeed correct, but more importantly helped us 
delineate useful generalizations and useless assumptions. 

The rest of the paper examines applications and extensions of Theorem 1. 
First, we shall see in Section 3 that it subsumes Ferreira and Zantema’s Theorem 
[8], and therefore most path orderings of the literature. 

Theorem 1 is more general still, if only because it does not depend on term 
structure. That is, this construction works equally well on other kinds of al- 
gebras. We illustrate this by sketching a few well-founded relations resembling 
the recursive path ordering on graphs, on infinite terms, and on word and tree 
automata in Section 4. 
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Theorem 1 seems however helpless in establishing that simply-typed A-terms 
terminate. We extend Theorem 1 by augmenting its proof with two ingredients 
that are crucial in the classical Tait-Girard proof of strong normalization [10], 
and come up with a suitable generalization of Jouannaud and Rubio’s higher- 
order recursive path ordering (horpo) [13] in Section 5, Theorem 2. This provides 
for variants of the horpo that also generalize semantic path orderings and the 
general path ordering, just like Theorem 1 did in the first-order case. (Again, we 
checked the proof in Coq.) 

We conclude in Section 6 by pondering over yet unexploited features of The- 
orem 1 and Theorem 2, and possible generalizations. 

Related Work. Proving the termination of term rewrite systems by structural 
induction on terms is not new. This is classical in the A-calculus. Similar tech- 
niques are extensively used in [7], where several proofs of termination consist in 
showing that for every substitution cr mapping variables to terminating terms, 
the term ta terminates by induction on some well-founded measure on t and 
a. Jouannaud and Rubio [14] also notice that recursive path orderings can be 
shown well-founded by the same technique. However, our proof of Theorem 1 is 
in fact simpler: it does not consider substitutions, and proceeds directly on t. 
Naturally, Theorem 1 does not consider the higher-order case. Theorem 2 does, 
and this requires both the use of substitutions as above and replacing strong nor- 
malization by the stronger, and more complex notion of reducibility [10], a.k.a. 
computabiliy [13]. We shall demystify the latter notion in Section 5: reducibility 
is just ordinary strong normalization, albeit of a richer reduction relation. 

On first-order term algebras, the closest result to our first theorem (The- 
orem 1) is Ferreira and Zantema’s Theorem [8], which is almost Theorem 1 
specialized to the case of terms. We shall indeed rederive the latter from ours. 
Theorem 2 can then be seen as the higher-order, abstract version of Ferreira and 
Zantema’s Theorem. 

We stress the fact that our results are in no way tied to term structure, 
and that this allows to design syntactic well-founded path orderings on graphs, 
infinite terms and automata. We are not aware of any previous termination 
method resembling recursive path orderings on algebras other than terms. 

Finally, Paul-Andre Mellies [16] suggested a deep connection between 
Kruskal’s Theorem and the termination of recursive path orderings, including 
Ferreira and Zantema’s Theorem. We have not managed to reverse the duality 
and deduce Kruskal’s Theorem from Theorem 1: the problem is that Mellies’ 
definition of a well-founded relation R is different from ours, namely that in any 
sequence there is z < j such that not Si R Sj. Furthermore, this difference 

seems essential. 



2 The First Termination Theorem and Its Proof 

Let T be any set, and c>, > and 3> be three binary relations on T. For short, we 
write u<it for t>u, and > for the reflexive closure of >. Assume that > has the 
following property: 
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Property 1. For every s,t G T, if s > t then either: 

(z) for some u G T, sou and u >t; 

(a) or s ^ t and for every u<it, s > u. 

Remark 1. Condition (ii) resembles Ferreira and Zantema’s [8] condition that 3> 
be a term lifting. We shall see the precise connection in Section 3, Corollary 1. 



Remark 2. Although the notation suggests it, none of >, >, » are required to 
be transitive. Taking them to be orderings, as is standard in the literature, is an 
orthogonal issue to termination. 



Remark 3. A more general definition would be to take > as primitive and define 
> by s > f if and only if s > f and t s, where >* is the reflexive transitive 
closure of >. We feel that this would only make the presentation more clumsy, 
while the additional generality can be obtained by reasoning over T/{>* fl <*). 



Remark 4- A general way of obtaining > satisfying Property 1, which we shall 
use in the sequel, is as follows. Let o be given, and let R be any monotonic 

function from binary relations to binary relations. By monotonic, we mean that 
R C R' implies i^R C i^R/. Let > be the greatest binary relation on T such 
that Property 1 holds, where ^ abbreviates ^>. This is well-defined by Tarski’s 
Fixpoint Theorem on the complete lattice of binary relations over T. (In fact, > 
is then the greatest binary relation such that s > t if and only if (i) or (ii).) 

Let us talk about termination. An element s G T is accessible in the binary 
relation R, a.k.a., s is in the well-founded part of R, if and only if every decreasing 
sequence sq=s R s\ R S2 R ... R Sk R ... starting from s is finite. The relation 
R is well-founded, or terminating (over T) if and only if every s GT is accessible 
in R. 

We shall use a slightly more general notion than accessibility. Let S be any 
subset of T. Say that S bars s in i? if and only if every infinite sequence sq=s 
R Si R S2 R ... R Sk R ... starting from s meets S, that is, Sk G S for 
some k > 0. The proper, constructive characterization of bars is the following 
principle, due to Brouwer: 

Proposition 1 (Bar induction). For every property P on T, if: 

1. every s G S satisfies P{s), 

2. and for every s G T, if P(t) for every t such that s Rt, then P{s), 
then every s G T barred by S in R satisfies P{s). 

In fact, the set B of all terms s barred by S' in i? is defined as the smallest 
such that P=\s ■ s G B satisfies 1 and 2 above. 

Remark 5. An element s is accessible in R if and only if the empty set bars s in 
R. 
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Our first theorem is the following: 

Theorem 1. Let SN he the set of all s & T that are accessible in >, and SN 
be the set of all s such that, if every u < s is in SN, then s is in SN. Assume 
that the following conditions hold: 

(Hi) > is well-founded on T; 

(iv) for every s € T, if every u<is is in SN, then SN bars s in 
Then > is well-founded on T. Equivalently, SN = T. 

Proof. We are going to prove this in excruciating detail: the proof is short but 
subtle. 

First observe that SN satisfies the following properties: 

for every s G SN, if s > t then t G SN (1) 

for every s G T, if every t such that s > t is in SN, then s G SN (2) 

We shall show that every s G T is in SN, by well-founded induction on >, 
using (Hi). I.e., let our first induction hypothesis be: 

For every m <i s, w G SN (3) 

and let us show that s G SN. To show the latter, it is enough to show s G SN , 
that is, if every m <i s is in SN then s G SN. Indeed s G SN will follow easily, 
using (3). 

Now let us show s G SN under assumption (3). By (3) and (iv), SN bars s 
in so we may prove s G SN by bar induction. Following Proposition 1, we 
have: 

— (Base case) s G SN : obvious. 

— (Inductive step) Assume that for every t such that s ^ t, t G SN holds, and 
prove s G SN . Expanding the definition of SN , we must show that s G SN 
under the assumptions: 

For every t such that s t and such that every u < t is in SN, t G S'A(4) 
For every u < s, u G SN (5) 

Using (2), it is enough to show that whenever s > t, t G SN. We show this 
by well-founded induction on t ordered by > - which is well-founded by (Hi). 
Our new induction hypothesis is therefore: 

For every u <t, if s > u then u G SN (6) 

Now since s > t, use Property 1, which yields two cases: 

(z) For some u<s, u>t. By (5), u G SN. By (1), t G SN. 

{ii) Or s t and for every u <it, s > u. By (6) every such u is in SN. To 
sum up, t and for every u<t, u G SN. By (4) t G SN. □ 




488 Jean Goubault-Larrecq 



Remark 6. Condition (iv) is a bit hard to apply. Defining SN as the set of all 
s G T such that every m < s is in SJV, a less general but simpler condition is: 

(u) for every s G T, if every m <i s is in SN, then s is accessible in 

where i?|^ denotes R restricted to A. Indeed (v) implies (iv): assume that s is 
such that every u<s is in SN, and show that s is barred by SN in ^ by induction 
on which is legal by (v). It is enough to show that every t such that s :S> t 

is barred by SN in If t G SN, apply the induction hypothesis. Otherwise 
t ^ SN clearly implies t G SN . (Note that this argument is not constructive.) 

3 Path Orderings 

In this section, let T be the set of all first-order terms on a given signature and 
a given set of variables. Let t> denote the immediate superterm relation, defined 
as the smallest such that f(s\, . . . , Sm)^Si for each n-ary function symbol / and 
every i, 1 < i < m. 

Path Orderings. Path orderings are obtained by setting <=< 1 . Condition (Hi) is 
then satisfied. The relation > obtained by Remark 4 is then such that s > t if 
and only if either: 

(i) s = f(si, . . . , Sm) and Si >t for some i, 1 < t < m; 

(a) or s t and either t is a variable, or t = g(t\, . . . , and s > tj for all 
j, 1 < J < n. 

In this form, > starts looking more like the recursive path ordering and its 
variants. And indeed. Theorem 1 has the following corollaries: 

— Dershowitz’ original recursive path ordering [3] on the well-founded prece- 
dence is well-founded : define s t if and only if s is of the form 
/(si, . . . , Sm), t is of the form g(t\, . . . , t„), and either f g or f = g and 
{si , ... , Sm } Rmul 1 5 ■ ■ ■ 5 in ') 7 

— similarly Kamin and Levy’s lexicographic path ordering [15] : s iS>R t if and 
only if s = f(si,...,Sm), t = g(ti, . . . ,t„), and either f g, or f = g, 
m = n, and (si, . . . ,s„) Rrx (h, ■■■An) (meaning si = h, . . . , Sk-i = tk-i 
and Sk R tk for some k, 1 < k < n); 

— The recursive path ordering with status (easy exercise); 

— Plaisted’s semantic path ordering [4] : given a well-founded quasi-ordering ^ 

on terms with strict part and equivalence «, s ':S>r t if and only if either 
s > t, or s Ki t and {si, . . . , Sm} Rmui : in') (recall that the strict part 

of a preordering ^ is )^ = ^ \ ^, while its equivalence is « = ^ fl ^); 

— Dershowitz and Hoot’s general path ordering [5] (easy justification omitted). 

One way to show at once that these orderings are well-founded is to show that 
Ferreira and Zantema’s result [8] is a consequence of Theorem 1. We silently 
assume here that all terms are ground, each variable x being considered as a 
nullary function symbol. 




Well-Founded Recursive Relations 



489 



Corollary 1 (Ferreira- Zantema). Let > be a partial order on a set of first- 
order terms. A term lifting is a strict ordering on terms such that for each 
set A of terms, if >\a well-founded, then is well-founded, where A is the 

set of terms /(si, . . . , Sm) where Si & A for all i, 1 < i < m. 

Assume that > has the subterm property (i.e., s\>t implies s > t). Also, 
assume that s=/(si, . . . , Sm) > t implies either that Si >t for some i, 1 < i < m, 
or s t. 

Then > is well-founded. 

Proof. Define ^ as >^, > and > are already defined. 

We must first show that s > t implies (i) or (ii) (see Property 1). So assume 
s > t. By assumption, there are two cases. Case 1: Si > t for some i; then (z) 
holds with u=Si. Case 2: s t, so s ^ t. In this case every w <i t is of the form 
1 < j < n; since > has the subterm property, t > tf, since > is transitive and 
s > t, it obtains s > tj, therefore (ii) holds. 

Condition (Hi) is trivial. Let us show (iv), or rather (v) (Remark 6): let s be 
such that every u <i s is in SN, i.e., s G SN. Let A be SN. Then A is SN: by 
assumption >J^, i.e., ^| 5 ]v well-founded. So s is accessible in Then 

apply Theorem 1. □ 

Knuth-Bendix Orderings. Theorem 1 also generalizes Dershowitz’ version of the 
Knuth-Bendix ordering [4]. Let and be two preorderings, respectively on 
terms and on function symbols, with strict parts and and equivalences 
«T and «F- Choose 0=0 and let s t if and only if (a) s )^t t, or (b) s t, 
s = f(si,...,Sjn), t = g(ti,. . . ,tn), and either f g or f g, m = n and 
(si , . . . , Sffi ) B'lex (t\, ■ ■ ■ 5 t.fi) . Remark 4 builds a binary relation ^ . this is the 
Knuth-Bendix ordering >kbo of [4]. (Note that since o = 0, s > t if and only if 
s»> t.) Theorem 1 then allows us to retrieve: 

Corollary 2. If t> C;^x> and and )^f are well-founded, then )^kbo is well- 
founded. 

Proof. Property (Hi) is trivial. Let us show (iv), and consider any chain s = 
■So Si ■ ■ ■ ^^kbo Sfe ^^kbo ■ ■ ■ For every A: > 0, for every immediate 

subterm u of Sk, u Sk, since t> C;^x- Since — — t and is transitive, 

u s, so u G SN by assumption. In particular, the whole chain is inside 

SN , the set of terms whose immediate subterms all are in SN. Clearly 
> 

restricted to SN is well-founded, since it is a lexicographic product of ^f, 
and for each function symbol /, of a lexicographic extension of >~kbo restricted to 
SN. So the chain is finite, hence s is accessible in This proves (u) (Remark 6). 

□ 

Monotonicity, Stability. To show that a rewrite system terminates, it is impor- 
tant that the relation > be monotonic, i.e., s > t implies /(..., s, .. .) > /(..., 
t,...)- this notation meaning f(si, ... , Si_i, s, Si+i, . . . , s„) > f(si, .. ., Si-i,t, 
Si+i, . . . , Sn); and that it be stable, i.e., s > t implies scr > ta for every substi- 
tution a. We state conditions under which these properties hold. 




490 Jean Goubault-Larrecq 



Lemma 1. Let > he defined as in Remark 4- Assume that: 

(vi) whenever s Rt, /(..., s, .. .) /(..., L • ■ •)/ 

(vii) whenever f{...,t,...)>u, then u = t or /(..., s, ...)> m for every s € T. 
Then > is monotonic. 

Proof. Assume that s > t. By (vi) /(..., s, .. .) »> /(..., t, .. .). It remains to 
show that for every u < f{. . . ,t, . . .), /(..., s, .. .) > u. By (vii) every such u 
is such that /(..., s, .. .) > u - therefore /(..., s, .. .) > u or t = u - then 

/(..., s, ...)> s > t = M, so /(..., s, ...)> w- □ 

Lemma 2. Let > he defined as in Remark 4- Recall in particular that is 
monotonic in R. Assume that: 

(via) > is stable; 

(ix) ;^R is stable whenever R is; 

(x) whenever s ^r x, where x is a variable, then s >* x; 

(xi) if u<t'a and t' is not a variable, then for some v! , u = u' a and v! <it'. 

Then > is stable. 

Proof. Let >' be defined by s >' t if and only if for some terms s',t' and for 
some substitution a, s = s'a, t = t'a, and s' > t' . We claim that s >' t implies 
either: 

(z') for some u<s, u>' t; 

(ii') or s t and for every u<t, s >' u. 

Since >C>' and > is the greatest relation satisfying (z) or (zz), it will follow that 
>=>', therefore that > is indeed stable. 

So assume s >' t, i.e., s' > t' and s = s'a, t = t'a. Then either (z) s't>u' > t', 
in which case s'a > u'a by (viii) and u'a >' t'a by definition, so (z') holds; 
or (zz) s' t' and for every u' < t', s' > u'. In the latter case, since R i-^^r 
is monotonic and >C>', s' ;^>/ t'] since >' is stable, by (ix) is, too, so 
S»>' t. On the other hand, we claim that for every u<3t, s >' u; (ii') will follow. 
Distinguish two cases: 

1. If t' is not a variable, by (xi) there is a term u' such that u = u'a and u' <t'. 
But by assumption u' <i t' implies s' > u', so s >' u. 

2. If t' is a variable x, by (z) s' >* x. By (mzz) s = s'a xa = t> u. So s [>■*■ u. 

It follows that s > zz, so trivially s >' u. □ 



Remark 7. Conditions {vii), {viii) and (a;z) are automatically verified when > is 
the empty relation or >, as above. In the recursive and lexicographic cases, as 
well as the recursive path ordering with status, {vi) holds: we retrieve the fact 
that these orderings are monotonic. In the same cases, {ix) and (x) hold ~ the 
latter because s ;^r x is always false -, so these orderings are also stable, as is 
already known. 
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4 Well-Founded Orderings 

on Graphs, Infinite Terms, Automata 

Theorem 1 does not need to operate on terms. As an application of this remark, 
let T be the set of all finite edge-labeled rooted graphs - graphs for short. Recall 
that a graph G is a 6-tuple {V, E, do, d\,F, vq), where F is a finite set of so-called 
vertices, if is a finite set of so-called edges, do and di are functions from E to 
V - doe is the source vertex of edge e, i9ie is its target -, E \s a, map from E 
to labels in some fixed set E, vq & V is called the root of G. We abbreviate the 
fact that e is an edge with source vo and target vi, and label f, by the notation 

f 

e : Vo — >vi- We let root(G) be the root of G, and if v is any vertex in V, we let 
G/v be the graph G with new root v, i.e., (V, E, do, d\,F, v). 

Here are a few natural candidates for the > relation, resembling the immediate 
superterm relation on terms: 

— the post-edge-erasure relation : if G = (V, E,do,di, F,vo), G t>+ G' if 

and only if there is an edge e : vo^^vi in E such that G' is isomorphic to 
(V, E \ {e}, do, di,F, ui) - i.e., we erase e and change the root to the target 
of e; 

— the pre- edge- erasure relation >_ : with the same notations, G t>_ G' if and 
only if G' is isomorphic to {V,E\{e}, do, d\,F, uq) - i.e., we erase e and leave 
the root on the source of e; 

— the edge- collapsing relation c>o ^ with the same notations again, G>oG' if and 

only if G' is isomorphic to {V / \ {e},e \doe\^,e |9ie|,,.,,F, |uo|~), 

where ~ is the equivalence relation vq ~ ui, and |u|„., is the equivalence class 
of V under ~ - i.e., we equate vo and vi and remove e; 

— the garbage- collection relation t>gc : G \>gc G' if and only if G' is obtained 
from G by removing vertices and edges that are unreachable from root(G). 

Any union of any of these relations is well-founded, since all of them decrease 
the size of graphs, measured as the number of vertices plus the number of edges. 
Define the reflexive transitive closure 3mmor of c>+ U>_ Ui>o Ui>gc- It is natural to 
say that G' is a minor of G whenever G ^minor G' [18], as then G' is obtained 
by taking a subgraph of some graph obtained from G by collapsing edges. 

For every graph G, let top{G) be the multiset of all pairs (/, G/ui), where 

e : root{G)^^vi ranges over edges in G with source root(G). We may then define 
an analogue of the recursive path ordering by the construction of Remark 4 again. 
Take any precedence on S, let t> be any union of relations >+, >07 »go 

and define by, say, G G' if and only if top{G){{'^,R)i^^)^^jtop{G'). 
Condition (m) is trivial. Condition {iv), in fact (v) (Remark 6) also holds. So 
Theorem 1 allows us to conclude that > is well-founded. 

When t> is exactly the minor relation 3 minor > another plausible line of proof 
to show that > is well-founded would have been by adapting Dershowitz’ proof of 
the termination of the recursive path ordering [3], replacing any use of Kruskal’s 
Theorem by a suitable variant of Robertson and Seymour’s Theorem ([18], 
p. 305). The latter indeed states that (non-rooted, non-labeled) graphs under 
the embedding- by-minors ordering are well-quasi-ordered. However, the proof 
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of Robertson and Seymour’s Theorem is considerably more involved than that 
of Theorem 1. Moreover, there is no hope of using it to establish that > is 
well-founded when > is not 3 minor • 

Remark 8. Here Tarski’s Fixpoint Theorem is needed in Remark 4. Contrarily 
to Section 3, there is no unique relation > such that s > t if and only if (i) or (ii) 
holds, since graphs may contain loops. Choosing the greatest allows us to get a 
comparison predicate > that makes the most pairs of graphs comparable. We 
conjecture that simple loop-checking mechanisms will provide an algorithm for 
deciding >. 



Remark 9. It is immediate to adapt the above definitions to non-oriented graphs, 
where edges are just unordered pairs {uo,Ui} of distinct edges. 



Remark 10. It is easy to extend the above definitions to ordered multigraphs, 
where labeled edges are rewrite rules of the form /(ui, . . . , u„) ^ Vg, where Vg, Vi, 

. . . , Vn are vertices and the label / is an n-ary function symbol. (This generalizes 

edges vg^^vi when / is unary.) We may let top{G), for any multigraph G, be 
the multiset of all /(ui, . . . , v„) such that f{vi, . . . ,u„) ^ Vg is an edge in G 
with Vg = root(G), and define by comparing such multisets by the multiset 
extension of the lexicographic product of a precedence on function symbols 
and R, n times, as in the lexicographic path ordering. (It is of course possible 
to have function symbols with multiset status, where arguments vi, . . . , are 
compared by the multiset extension of R, and in general to use any kind of 
extraction and termination function as in [5].) 

Such multigraphs are exactly non-deterministic finite tree automata with one 
final state (the root) [9]; in this context the edge /(ui, . . . ,u„) ^ vg is usually 
written f{vi , . . . , u„) — >■ Vg. The > relations might have applications in showing 
that certain sequences of tree automata are ultimately stationary, as needed in 
building widenings [2] in tree automat a-based abstract interpretations such as 
[17,11]. 



Remark 11. Multigraphs where, for each vertex vg, there is exactly one edge 
of the form /(ui,...,u„) ^ Vg are exactly regular infinite terms, as used in 
Prolog for example. The construction of this section therefore provides well- 
founded relations that may be of use in extending completion and narrowing- 
based automated deduction tools to the case of regular infinite terms. 

5 Higher-Order Path Orderings 

Theorem 1 seems to be insufficient to show that every simply-typed A-term 
terminates. While the proof of Theorem 1 proceeds by showing that every s G T 
is in SN directly, in the classical strong normalization proof of the simply-typed 
A-calculus [10] one shows that for every s G T, scr is reducible of its type, where u 
is any substitution mapping variables to reducible terms of the correct types, and 
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reducibility is a new property that implies termination. Trying to integrate these 
notions into Theorem 1, we obtain the following. (For the sake of comparison, we 
have taken similar numbering conventions as in Section 2, with a o superscript; 
e.g., condition (z) becomes (z)°.) 

Let T be any set, and [>,►,> and be four binary relations on T. Assume 
that: 

Property 2. For every s,t G T, ii s > t then either: 

(z)° for some u G T , s u and u>t\ 

{ii)° or s ^ t and for every u<3t, either s > m or for some v <i s, v > u. 

Remark 12. Compared with Property 1, the main difference is the use of ► 
instead of > in the first alternative. In general we will have >; in the typed 
A-calculus for example, ► will be the union of the immediate superterm relation 
and of /3-contraction at the top. The added complication in (zz)° is inspired from 
[13]. 



Theorem 2. Let c>° he any binary relation on T. Let SN° he the set of all 
s G T that are accessible in > Ui>°, SN ={s G T|Vu(< U <i°)s • u G SN°}, 
SN°=is G T\ifsG SN° then s G SN°}. 

Let S be some set, (Tq € S, and _ • _ he an (infix) map from T x S to T. 
Assume: 

(iii) ° > is well-founded on T; 

(iv) ° for every s G T, if for every u< s, for every a G S, u ■ a is in SN° , then 

for every a G S, SN ° bars s ■ a in 
(xii) for every s G T, s • erg = s; 

(xiii) for every s G T, a G S, either s ■ a G SN° or for every u(< U <i°)s • a, 
u G SN° or there is a v < s and a' G S such that v ■ a'(> Ut>°)u; 

(xiv) for every s' ,t,u G T, if s' t c>° u, then t>u or s' t>° v > t for some 
V G T; 

(xv) for every s' ,u G T, if s' ^ u and for every u(<iU v is in SN°, then 

u is in SN° . 

Then T = SN°. Ln particular, > is well-founded. 

We prove Theorem 2 shortly. The proof is very similar to that of Theorem 1, 
and the reader is invited to proceed directly to applications following the proof. 
Meanwhile, observe that Theorem 1 is the special case of Theorem 2 where ► =>, 
S is any one-element set {erg}, s ■ crg=s, and c>° is the empty relation. 

Proof. We show that for every s G T, for every cr G S', s • <t is in SN°. Using (xii) 
and cr=(jg, it will follow that s G SN°. This is by induction on >, which is legal 
by {iii)°. So the following induction hypothesis is available: 

For every u<s, for every a G S, u ■ a G SN° (3)° 

Fix cr: we wish to show s ■ a G SN°. We claim that this is entailed by: (*) 
s ■ a G SN ° . Indeed, by {xiii), either s ■ a G SN° and we are done, or for every 
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u(<iU<]°)s- cr, u £ SN°, or there is a w<is and a' £ S such that v-a'{> 140°)^; in 
the latter case v ■ a' £ SN° by (3)°, so u G SN° again: since every w(<iU<i°)s • cr 
is in SN°, (*) indeed implies s ■ a £ SN°, by the definition of SN °. 

It remains to show (*). By (3)° and {iv)° , SN ° bars s-ct in We show that 
s • cr G SN ° by showing that any s' barred by SN ° in ;g> is in fact in SN ° , by 
bar induction. The base case is obvious. In the inductive case, assume that for 
every t such that s' ^ t, t £ SN ° , and prove s £ SN ° . Expanding the definition 
of SN ° . we must show that s' £ SN° under the assumptions: 

For every t, ii s' ^ t and every m(<i U <i°)t is in SN°, then t £ SN° (4)° 

For every u{< U u G SN° (5)° 

To show that s' £ SN°, it suffices to show that every t such that s'{> U>°)t is 
in SN°, which we show by induction on c>. So the following induction hypothesis 
is available: 

For every u<t, if s'(> Ut>°)'u then u G SN° (6)° 

Since s'{> U[>°)t, we distinguish three cases, two when s' > t, one when s' >° t: 

{i)° For some u M s', u> t. By (xv) and (5)°, u G SN°, so t £ SN°. 

{ii)° Or s' ^ t and for every u <3t, either s' > u or v > u for some v < s'. For 

each u <t, if s' > u then by (6)° u G SN°; and if s' > u > u, then by (5)° 

V G SN° so u £ SN° again. To sum up: (f) for every u <t, u G SN° . 
Moreover, for each u <i° t, by (xiv) either t> u or s' t>° v > t for some v; if 
t>u, by (t) u G SN°, and if s'>° v > t, then v G SN° by (5)°, so t £ SN°, 
so u £ SN° since t >° u. Summing up and combining with (f), we get: for 
every m(<i U <i°)t, u £ SN°. By (4)° it obtains t £ SN°. 

• Or s' c>° t. Then t £ SN° by (5)°. □ 

Higher-Order Recursive Path Orderings. Theorem 2 entails that Jouannaud and 
Rubio’s higher-order path ordering [13,14] is well-founded. We also take the op- 
portunity to generalize it. 

Let T be an algebra of so-called types, including a — >■ binary infix operator. 
That is, whenever n and T2 are types, so is ri -£ T 2 . Let >7- be a well-founded 
ordering on types such that (ti — >■ T 2 ) >7 - Ti and (ti — >■ T 2 ) >7- T2. A signature E 
is any map from so-called function symbols f,g, . . . , to arities ti, . . . , r„ => r, 
where t\, . . . , Tn, r are types in T. For each type t £ T, let AV be pairwise 
disjoint countably infinite sets of so-called variables of type r, written as x^, 
yr, ... We write x, y, . . . , instead of the latter when the types are clear from 
context. 

Recall that the language of algebraic X-terms over E is the smallest collection 
of sets Af when r ranges over types in T, such that AV C Af, such that 
MN G whenever M G and N G A^, such that Xx^ ■ M G 

whenever M £ A^, and such that /(Mi, . . . , M„) G Af whenever / G dom E, 
E{f) = n, . . . , r„ T, and Mi G A:^ , . . . , M„ G Af^. We drop type subscripts 
when irrelevant or clear from context. We also consider that any two a-equi valent 
terms are equated, i.e., we reason on the set T of equivalence classes of terms 
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in A^= UtsT modulo a-renaming. By abuse of language, we shall say that 
M >7- N when M G , N G Af, and r >7- t'. 

Let us build a relation > on typed A-terms by mimicking Remark 4: 

Definition 1. Let t> be the immediate subterm relation (in particular Xxn ■ 
M \> M[x := j/t-J for every variable y^, where M[x := N] denotes the capture- 
avoiding substitution of x for N in M). Let (3 be the smallest relation such that 
(Ax ■ M)N j3 M[x := fV], and ► &e > U /3. Let R be given and monotonic, 

and define > as the largest binary relation such that s > t implies s >7- t and 
also either (i)° or (ii)° , where ^ denotes ^>. 

Clearly > satisfies Property 2. Moreover s > t implies s >7- t, by construc- 
tion. 

Remark 13. We get Jouannaud and Rubio’s horpo [14] by using the following 
definition for Split function symbols in domlf into symbols with multiset 
status and symbols with lexicographic status. Let be any strict ordering on 
dom E. Let M I^r N if and only if either: 

1. M = f(Mi,...,Mm), N = g(Ni,...,Nn) (f,g G dom if) and f g, or 
f = g has multiset status and {Mi, . . . , Mm} Rmui {-/Vi, . . . , iV„}, or f = g 
has lexicographic status, m = n, and (Mi, . . . , M„) Rrx (Ni, . . . , Nn); 

2. or M = /(Ml, . . .,Mm), N = N 1 N 2 (/ G dom 27); 

3. or M = Ml M 2 , N = N 1 N 2 and {Mi, M 2 } Rmui {Ni,N 2 }; 

4. or M = Ax ■ Ml, N = Ax ■ Ni (where x is the same on both sides, up to 
a-renaming) and Mi R Ni . 

To apply Theorem 2, first define M >° TV by induction on the type of M, 
ordered by >7-, as follows. M >° N A only if M is an abstraction Ax^ ■ Mi, 
of type Ti — >■ T 2 , and N = Mi[x := A^i] for some A^i in SN° of type ri. Note 
that since > Ui>° Q>t, any (> Ui>° (-reduction starting from A^i only involves 
A-terms of types <7- ti, on which i>° is already defined by induction hypothesis: 
therefore “fVi in SN° of type Ti” is well-defined by induction hypothesis in the 
definition of t>° for terms M of type ri -G T 2 . 

Remark If. This construction implies that SN° , the set of accessible terms in 
> U[>°, is also the set of terms M that are in SN (the set of terms that are 
strongly normalizing for >), and such that, if M has type ri -G- T 2 , then whenever 
M >* Axri ■ Ml, for every Ni G SN° of type n. Mi [a; := Ni] is in SN° of type 
T 2 . This is one of the classical definitions of reducibility (a.k.a., computability) 
[6]. In this sense. Theorem 2 is a reducibility argument, just like [13]. 

Second, let S be the set of all substitutions mapping variables Xr to A-terms in 
SN° of type r, let (Tq be the empty substitution, and let M-ct denote application 
of substitution a to M. Conditions {iii)° and (xii) are obvious. 

Condition (xiii) is justified as follows. Let s be a typed A-term, cr G S'. If s is 
a variable by construction s ■ a G SN° . Otherwise, consider any u(<3 U <i°)s • a. 
If M < s • CT, then since s is not a variable, u is written v ■ a for some immediate 
subterm v of s; i.e., (xiii) is proved with a'=a, v ■ a' = u. If w<i° s • cr, then since 
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s is not a variable, s must be written Ax ■ Mi, with Mi ■ a[x := A^i] = u for some 
Ni G SN°: take v=Mi, and a' be the substitution mapping x to Ni and every 
other variable y to y ■ a (taking x outside the domain of a, by a-renaming) . 

Condition {xv) is justified as follows. Assume that: (*) every u(<iU<i°)s' is in 
SN° . If s' ► u, then either s' t>u and (xv) is clear; or s' /3 u. If s' f3 u, then s' is 
of the form {Ax ■ M)N and u = M[x := A^]. By (*) N is in SN° and Ax ■ M is 
in SN° too. So M[x := N] <f Ax ■ M is in SN°. 

So only conditions (iv)° and (xiv) are not automatically verified. We get the 
following corollary to Theorem 2: 

Lemma 3. Let > be as in Definition 1, and ^ he ^>. Assume that: 

1. for every A-term M, if every immediate subterm of M is in SN°, then M 
is accessible in 

2. if M ^ Ax- Ml, then M is of the form Ax ■ Mq and Mq ■ a > Mi ■ a for every 
a G S. 

Then > is well-founded. 

Proof. Condition {iv)° follows from 1 by the same argument as in Remark 6. Let 
us prove (xiv). Assume s' ^ tt>° u. By definition t must be of the form Ax ■ Mi 
and u = Mi[x := iVi] with Ni G SN°. By 2, s' = Ax ■ Mq and Mq[x := iVi] > 
Mi[x := A^i]. Take v=Mq[x := fVi], then s' t>° v > u. □ 

Lemma 1 still holds in the higher-order case, provided the following condi- 
tion is added: whenever s Rt and /(..., s, .. .) and /(..., t, .. .) are well-typed, 
then /(..., s, .. .) > 7 - /(..., t, . . .); and provided in the notation /(..., s, . . .), / 
is taken to be any function symbol, or application, or A-abstraction. Lemma 2 
holds without modification. It follows that Jouannaud and Rubio’s horpo (Re- 
mark 13) is well-founded, monotonic and stable. By construction, it also includes 
/J-reduction. 

Remark 15. Lemma 3 can be seen as a suitable generalization of Ferreira and 
Zantema’s result to the case of higher-order rewrite relations. Note that condi- 
tion 2, which basically says that any term that is ^ an abstraction must also 
be an abstraction, is fundamental. Jouannaud and Rubio’s horpo in addition 
requires applications to be <C any term of the form /(. . .) with / G A, and 
abstraction cannot be ^ any non-abstraction term; these conditions are simply 
not needed. 

6 Conclusion 

We hope to have demonstrated that Theorem 1 and Theorem 2 have very general 
scopes. In term algebras, we retrieve all variants of path orderings, as well as the 
Knuth-Bendix orderings. The scope of Theorem 1, and naturally of Theorem 2 
as well, exceeds term algebras, and we have sketched a few path ordering-like 
constructions on graphs, automata, and infinite terms. Theorem 2 then provides 
a general extension of Jouannaud and Rubio’s higher-order path ordering. 
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There are at least two points that deserve further study. First, the proofs of 
Theorem 1 and Theorem 2 are intuitionistic, and therefore give rise to algorithms 
that might be used to implement reduction machines and study the complexity of 
reductions. Second, because Theorem 1 and Theorem 2 deal with general binary 
relations, we believe that a deeper understanding of the duality of [16] and of 
possible connections with Theorem 1 would be profitable. It has been pointed out 
by an anonymous referee that F. Veltman has produced a constructive version 
of Kruskal’s Theorem, which may be useful in this endeavor. 
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Abstract. Context unification is a variant of second order unification 
and also a generalization of string unification. Currently it is not known 
whether context unification is decidable. A decidable specialization of 
context unification is stratified context unification, which is equivalent 
to satisfiability of one-step rewrite constraints. 

This paper contains an optimization of the decision algorithm, which 
shows that stratified context unification can be done in polynomial space. 



1 Introduction 

Context unification is a variant of second order unification and also a gener- 
alization of string unification. There are unification procedures for the more 
general problem of higher-order unification (see e.g. [Pie73,Hue75,SG89]). It is 
well-known that higher-order unification and second-order unification are un- 
decidable [Gol81,Far91,LV00a] and that string unification is decidable [Mak77]. 
Recent upper complexity estimations are that it is in EXPSPACE [Gut98], in 
NEXPTIME [Pla99a] and even in PSPACE [Pla99b]. 

Context unification problems are restricted second-order unification prob- 
lems. Context variables represent terms with exactly one hole in contrast to a 
term with an arbitrary number of holes in the general second-order case. The 
name contexts was coined in [Com93], see also [Com98a,Com98b]. Currently, it 
is not known whether context unification is decidable. It is known that it is 
AfP-hard (cf. [SSS98]), and that satisfiability of formulas in a logical theory of 
context unification is undecidable [NPR97a,Vor98]. 

There are some decidable fragments: If for every context variable X, all oc- 
currences of X have the same argument [Com98a,Com98b]; if the number of 
occurrences of every first order variable and every context variable is at most 
two [Lev96], if there are at most two context variables [SSS99], or if the context 
unification problems are stratified [SS99b]. There is also some work on gen- 
eralizations of context unification [LVOOb] aiming at decidability. A decidable 
restriction of second order unification similar in spirit to context unification is 
bounded second order unification [SS99a], where second order variables represent 
terms with a number of holes that is bounded by a given number. 
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Applications of context unification and stratified context unification are for 
example in computational linguistics [NPR97a,EN00], in particular as a uniform 
framework for semantic underspecification of natural language [NPR97b]. The 
fragment of stratified context unification is expressive enough for applying it 
in computational linguistics. It was also used in equational unification as an 
important step in showing decidability of distributive unification [SS98]. It was 
proved that one-step rewrite constraints and stratified context unification can 
be interreduced [NTTOO] . As a lower bound for the complexity it is known that 
stratified context unification is AfP-hard [SSS98]. The method in [SS99c] esti- 
mates the complexity of the unification algorithm on the basis of the main depth 
of cycles. This appears to be insufficient for upper estimations, so the current 
paper gives an upper complexity bound based rather on the size of the repre- 
sentation of cycles. The main depth of cycles may be exponential. Basing an 
upper complexity estimation on the translation to string unification described 
in [SS94] and then using the PSPACE upper bound in [Pla99b] does not work, 
since the translation is not polynomial. 

This paper analyses the complexity of the decision algorithm for stratified 
context unification in [SS99b] if it is enhanced with compression techniques like 
sharing and power-expressions. A key technique is to use nested powers of con- 
texts. The following new result is proved in this paper: 

Theorem: Stratified context unification is in PSPACE . 

A corollary following from [NTTOO] is: 

Theorem: Satisfiability of one-step rewrite constraints is in PSPACE. 

The upper polynomial space bound for stratified context unification may have 
an impact on context unification algorithms used in computational linguistics. 
The paper is structured as follows. First we describe a decision algorithm CSCU 
for stratified context unification as a translation from [SS99bj. This is done by 
first describing the data structure, then the adapted rules, and at last a space 
estimation is given showing that the decision algorithm CSCU is in PSPACE. 
Note that this paper relies on the description and proofs in [SS99bj. 

2 Preliminaries 

Let U be a signature of function symbols. Every function symbol comes with 
an arity, denoted ar{f), which is a nonnegative integer. Function symbols with 
ar{f) = 0 are also called constant symbols. We assume that the signature con- 
tains at least one constant symbol and at least one non-constant function symbol, 
in particular we also allow that the signature may be infinite or monadic. Let 
Vi be the set of first-order variables x,y,z,..., V 2 be the set of context vari- 
ables X,Y, Z , . . and V := Vi U V 2 . Terms t are formed using the grammar 
t ::= X I f{t\, . . . , tar(f)) I X{to), where a: is a first-order variable, / is a function 
symbol, is a context variable, and U are terms. For a constant a, we write a 
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instead of o(). We denote terms using the letters s,t. Syntactic equality of terms 
s, t is denoted as s = t. The set of variables occurring in the term s is denoted 
as Vor(s). A term s is called a ground term if s has no occurrences of variables. 
Contexts are formed by the grammar C[-\ ::= [•] | A(C'[-]) | /(ti, . . . , €[■], . . . , 
tar{f)), where [•] is called the hole (also trivial context. Id ), / is a function 
symbol, A is a context variable, C is a context, and ti are terms. Contexts 
must contain exactly one occurrence of the hole. We denote contexts as C[-], 
or as C, if it is not ambiguous, and the subterm A([-]) is abbreviated as A(-). 
The notation C[t] means the term where the term t is plugged into the hole 
of C[-]. We denote syntactic equality of contexts by =. A ground context is a 
context without occurrences of variables, i.e., it can be seen as a ground term 
with a single hole, where a signature with the additional constant [•] is used. The 
length of the position of the hole in the ground context C is called main depth 
and denoted as \C\. The size of terms is the number of occurrences of symbols, 
and the size of contexts is the number of occurrences of symbols not counting 
the hole. This may be denoted as size{.). 

A (ground) substitution is a mapping from terms to ground terms with the fol- 
lowing properties. A substitution a can be represented as {xi — >■ tj, Xj — >■ Cj\i = 
= 1,...,to}, where U,i = l,...,n is a ground term and Cj,j = 
1, . . . , m is a ground context, cr operates on terms t by replacing all occurrences 
of variables Xi by U,i = 1, ... ,n and replacing all occurrences of context vari- 
ables Xj by Cj,j = 1, . . . , TO. The replacement of X by C[] means to replace all 
subterm occurrences of the form A(s) by C[s], and the replacement of X by Id 
is done by replacing all subterm occurrences of the form A(s) by s. The ground 
substitution u has as domain the set {xi \ i = 1, . . . , n} U {Xj | j = 1, . . . , to} 
and as codomain the set {U \ i = 1, . . . ,n} U {Cj | j = 1 , . . . , to}. 

The tree addresses in terms and contexts are also called positions, which 
are words of positive integers. The expression t\p {C\p) denotes the subterm 
(subcontext) of t (of C) at position p. 

If C\,C 2 are contexts, then we denote the context C'i[C 2 [-]] also as C\C 2 . A 
prefix of a context C is a context Ci, such that C 1 C 2 = C for some context C 2 . 

A context unification problem (CUP) is a set P of equations, denoted as 
{si = ti,...Sn = tn}. An equation of the form A(s) = Y{t) is called flat 
equation. The multiset term{P) is defined to be {s,t | (s = t) S T}. The size 
of r is the sum of the sizes of the terms in term{P), denoted as size{P). With 
Var{r) we denote the set of variables occurring in P, and with VarfiP) we 
denote the set Var{P) fl Vi for i = 1, 2. 

A unifier of T is a ground substitution a with domain containing Var{P), which 
solves all equations in P. I.e., cr(s) = a{t) for all {s = t) £ P. A CUP P is called 
unifiable, if there is a unifier of P. 

A unifier ct of T is called minimal if there is no other unifier a' of P with 

^ {size{a' {X))) < ^ {size{a{X))). 

xeVar^ir) xsVar^ir) 
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A ground substitution u has exponent of periodicity n ([Mak77,SSS98]), iff n is 
the maximal number, such that there is some context variable X and ground 
contexts A, B, C, where B is not trivial, such that o’(X) = A B . B C . 

n 

Proposition 2.1. ([SSS98]) There is a constant c, such that for every unifi- 

able context unification problem T and for every minimal unifier a of B its 
exponent of periodicity is at most ^ 

3 An Overview of the Translated Algorithm 

The idea of the translation is to represent the performance of the algorithm 
SCU in [SS99b] in a compressed data structure. The first order variables that 
are used for sharing in CSCU correspond to subterms in SCU. However, not 
every subterm in the problems in SCU is also represented in CSCU as a first 
order variable. Many subterms are implicitly represented in power expressions. 

In the following we describe the translated rules. We have also to add a 
rigorous description of the sharing methods, but we omit arguments for sound- 
ness, correctness, and termination, since these are explained in [SS99b], and the 
algorithm in this paper mimics the algorithm SCU. 

The algorithm “compressed stratified context unification decision algorithm” 
CSCUhas an initial input //, which is without occurrences of power expressions. 
Let E[ be the upper bound on the exponent of periodicity given by the bound 
in Lemma 2.1 for //. 

A preprocessing called flattening is required in order to exploit sharing on 
the term level. The decomposition rules are a bit more complicated, since some 
macro rules are added, which avoid the explicit representation of all subterms. 

The rules for treating cycles and clusters have to be extended to show how 
they implement sharing of subcontexts. 



4 The Data Structures for CSCU 

The compressed representation of the data structures requires three different 
parts: term sharing using first order variables representing subterms, a represen- 
tation of iterated context application and a sharing of contexts. 

4.1 Description of the Compressed Data Structures 

Let a Tcontext S' be a context of the form f{xi , . . . ,xj-i, [■],Xj+i, . . . ,Xar(f)), 
where Xi are first order variables. 

Let a power expression be an expression of the form pow{X,ni,n 2 ), where 0 < 
ni < ri 2 are nonnegative integers and A" is a context variable. We denote them 
using the letter P. It is always assured that unifiers instantiate X hy a nontrivial 
context. Given a substitution a, power expressions pow{X,ni,n 2 ) denote the 
subcontext from main depth ni to H 2 of a sufficiently large power of X . Formally 
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we define, given a ground substitution a, cf{pow{X,ni,n 2 )) '■= A, where ^ is a 
ground context with |A| = ri 2 — ni, and there are ground contexts B,C with 
\B\ = ni, and a nonnegative integer with = BAC. 

As an example let cr = {A -)> f{g{[.]))}; then a{pow{X, 1,7)) = g{f{g{f 

(5(/([-D)))))- 

The general form of power expressions enables a nice and short formula- 
tion of rules, and also guarantees nonincreasing space usage for rules extracting 
subcontexts of a power expression. 

Let the extended terms be t ::= x \ /(ti, . . . , t(jr(/)) I A.{t) \ P(t), where x is 
a variable, / a function symbol, X a context variable, t, U are extended terms, 
and P is a power expression. In the following we will use only extended terms. 

Definition 4.1. A compressed context unification problem (CCUP) B is a set 
of equations of the following two kinds: 

— equations s = t, where s,t are (extended) terms. These are called term equa- 
tions. 

— equations X = S, where S is a nonempty sequence Si . . . Sn and Si are power 
expressions or Tcontexts. The sequence S\ . . . Sn means S'i(. . . (S'„([.]))). 
These equations are called context sharing equations. 

The subset of term equations in T is denoted as T{T). The subset of context 
sharing equations in T is denoted as D{T). We assume that = is symmetric for 
term equations, but not symmetric for sharing equations. The context variables 
occurring in left hand sides of context sharing equations are called defined con- 
text variables (wrt. T). They are ranged over by U. The set of defined context 
variables is denoted as Ur. In the following “context variables” refers to context 
variables in V ar 2 {T) \ Up, and “defined context variables“ to the elements of 
Ur- 

Five conditions must hold: 

— We assume that there is no occurs-check situation in the context sharing 
equations. I.e., in F there is no chain U\ = Si, U 2 = S 2 , . . . ,Un = Sn, such 
that Uin occurs in Si for i = 1, . . . ,n — 1 and Ui occurs in Sn. 

— IfUi = Si,U 2 = S 2 G D{T), then Ui^U 2 . 

— For every U = S £ D{F), it is Var 2 {S) C Up. 

— Any defined context variable U can occur in T{F) only in the form pow{U, ni , 
n2){x). 

— For every occurrence of pow{U,ni,n 2 ){x) in F, it is U £ Up. 



Definition 4.2. A ground substitution a is a unifier of the CCUF F iff after 
applying a, the left and right hand sides of all equations in F are syntactically 
equal. 

Note that the [/ in a power expression pow{U,ni,n 2 ) will be mapped to a non- 
trivial context by a unifier, and that application of a unifier to a power expres- 
sions results in a term without power expressions. 
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Definition 4.3. Let F he a COUP. SO-prefixes wrt. F are words in {V 2 \Kr)* ■ 
An SO-prefix of a position p in a term t is the word consisting of the context 
variables from V 2 \ ldr in head positions that are met going from the root to the 
position p. SO-prefixes of all positions in context sharing equations are defined 
to be empty. 

Let the following conditions hold: For all context variables X G V 2 \Wr and all 
positions Pi,P 2 of the context variable X in equations, the SO-prefix of pi in F 
is the same as the SO-prefix of P 2 in F. For all first order variables x and all 
positions pi,P 2 of the the first order variable x in equations, the SO-prefix of p\ 
in F is the same as the SO-prefix of p 2 in F. 

Then F is called stratified. 

We abbreviate “stratified CCUP“ as SCCUP. 

In an SCCUP we can speak of the SO-prefix of a context variable or of a first 
order variable, respectively. 

This definition is the translation of the definition in [SS99b] and consistent 
with [SS94,Lev96] for context unification problems without occurrences of power- 
expressions. 

Example 4 A- The CUP {Y{X{x)) = Z{y),Y{g{X{z))) = u} is a stratified 
CCUP, where X has SO-prefix Y, and x,z have SO-prefix YX. The CUP 
{X{x) = x} is not stratified, since the SO-prefix of x is not unique. 

As the syntactical size measure of terms and SCCUPs, we use the common 
size definitions. The only difference is that we define size{pow{U,ni,n 2 )) := 
2 -I- 2 * size{n 2 ). Note that size{n 2 ) = 0{log{n2)). 

Example 4-5. In {X{f{g{a))) = f{g{X{a)))} it is possible to represent a unifier 
with 113 iterations of /((?(•)) as ^ = pow{U, 0,226), U = f{-)g{')- 

4.2 Expansions of Power Expressions 

We assume a SCCUP F be given and explain the meaning and some auxiliary 
operations on the data structures. 

In the SCCUP F we compute the main depth of contexts under any unifier: 
We denote this also using the | • | -notation. The following holds: 

1. |pow({7, ni,n 2 )| = U 2 — ni 

2. |C/| = |S'|,if([/ = S')GD(r). 

3. js”! . . . S'„| = |S'i| -I- . . . -I- l^nl if S'! ... S'n is a right hand side in D{F). 

4. |iC| = 1 for a 1-context. 

This defines in a unique way the main depth for all contexts U, S in sharing 
equations U = S, and for all power expressions. 

Definition 4.6. Assume given a SCCUP F. Let hdc{S,k), the top context of 
the subcontext of S at depth k, for contexts or sequences of contexts S with 
0 < fc < [S'! be defined as follows: 
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hdc{K,0) := K for a 1-context K 

hdc{Si- ...■ Sn,k) :=hdc{Si,k) if k < \Si\ 

hdc{Si- ...■ Sn,k) := hdc{S 2 - ...■ Sn,k-\Si\) if k > |S'i| 

hdc{pow{U, ni, ri 2 ), k) := hdc{S, ni k mod |J7| ), if U = S G D{r) 

and ni + fc < ri 2 

hd{S) :=hdc{S,0) 

Definition 4.7. Assume given a SCCUP F. The function “expand” deshares 
the definitions of the defined context variables. Let expand{pow{U,ni,n 2 )) be 
defined as follows: 
expand{pow{U,ni,ni)) := Id 

expand{pow{U,ni,n 2 )) := hdc{pow{U,n\,n 2 ),t)) ■ expand{pow{U,ni l,n 2 )) 
This is also used for terms: 

expand{pow{U,ni,n 2 )){x) := expand{pow{U,ni,n 2 ))[x]. 

If we say a variable occurs in pow{U,ni,n 2 ) , then we mean the occurrences in 
expand{pow{U, ni,n 2 ))- 

Example 4-8. For {U = f{x, 0)ff(D):2/i = Pow{U,3,6){y2)} C F, we have \U\ = 
2,\pow{U,3,6)\ = 3, expand{pow{U,3,6)) = g(/(x, (/([•]))), and hd{pow(U, 
3,6))=ff(D). 

Let the top symbol of terms be defined as the top function symbol, i.e. the 
top symbol of /(. . .) is /, and the top symbol of a 1-context /(. . .) is /, and of 
a power expression it is the top symbol of its expansion. 



5 Preprocessing of the Algorithm CSCU 



Initially, and after a replacement of context variables, a flattening is mandatory. 
This intermediate flattening is only done for positions with empty SO-prefix. 



Definition 5.1 (Flatten). 

{s = t}UF ,, , 

— 7 — ^ ^ if neither s nor t is a variable. 

{s = x,x = t}UF 

— '—III ^ ^ r; if some Si is not a variable. 

{f[Xi,. ..,Xn) =y,Xi = Si,...Xn = s„| U F 

{pow{U,m,n 2 ){s) = y}U F . 

— 7 T— ^ ^ — if s IS not a variable. 

{pow{U, rii, n 2 )(x) = y, x = s} U 1 

The introduced first order variables must be always fresh ones. 



If the flattening rules are not applicable, then F is called flattened. In a flat- 
tened SCCUP, in term equations only terms of the form x \ f{xi , . . . , x„) \ X{x) \ 
P{x) may occur, where x, Xi are first order variables. 

The following definitions contain the required simple unification rules and 
the necessary decomposition rules. Decompositions for the situation x = pow(U, 
ni,U 2 ),x = pow{U' ,n^,U 4 ) are done when needed in the treatments of clus- 
ters. An eager decomposition in this situation would potentially introduce an 
exponential number of (non-redundant) first order variables. 
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Definition 5.2 (decomposition rules). 

, , {x = y} U F 

1. (variable replacement) — -j —. — . 

r[y/x] 

0 /, ... ) {x = f(xi,...,Xn),x = f(yi,...,yn)}'jr 

z. (decomposition) 



{x = f(xi, . . .,Xn),Xi =yi,...,Xn=yn}'jr 

<9 r 1 h) {x = f{xi,...,Xn),x = g{yi,...,y^)}ur 

3. (clash) 

4- (decompose-fp) Let there be equations of the form x = pow(U,rii,n 2 ){z), 
X = f(xi , . . . , Xn) in r with ui < U 2 - Let hd{pow{U, ni,n 2 )) = g{yi, • • ■ , 
1) Dj 2/j+1) • ■ • > ym)- 
— If g ^ f, then Fail. 

— If g = f, then remove the equation x = pow(U,ni,n 2 ) and add the 
equations Xh = yh for h ^ j, and xj = pow(U, ni + 1, 712 ) • 

5. (decompose-pp) Let there be equations of the form x = pow{U, ni,n 2 ){z\), 
X = pow{U,n\,n^){z 2 ) in F with U 2 < Then remove the equation x = 
pow(U,ni,n 2 )(zi), and add the equation z\ = pow(U,n 2 ,n 3 )(z 2 ). 

6. (occurs-check) Fail, if there is a chain of equations X\ = ti, . . . = tn, 

Xi+i occurs in ti for i = 1, . . . ,n — 1, xi occurs in tn, where at least one ti 
is not a variable, and (remove-power) is not applicable. 

1. (trivial) Remove equations t = t from F . 

8. (remove-redundant) Remove x = t from F if x does not occur in t nor F. 

9. (remove-redundant- Lf) Remove U = S from F if U does not occur in F. 

10. (remove-power) Power expressions pow{U,n,n) are replaced by Id. 

11. (shift-power) A power expression of the form pow(U,ni,n 2 ) with \U\ < n\ 
is replaced by pow{U,n\ — \U\,n 2 — |C^|)- 

The decomposition rules are performed with high priority. If no decomposition 

rule is applicable, then we say F is decomposed. 



6 Cycles and Clusters 

We give the adapted definitions of SO-cycles and SO-clusters (cf. [SS99b]). 

We assume in this section that F is flattened and decomposed. 

Definition 6.1. A set of equations Si = ti, . . . , s„ = zs called an SO-cycle, if 
the following holds: Si is of the form Xi (or Xi(yi)), and (or Xi+i) occurs 

in ti for i = 1, ... ,n — 1, and X\ (or x\) occurs in tn, and at least one such 
occurrence is not at the top. The length of an SO-cycle is the number of context 
variables at the top positions in Si,U. The variables Xi (Xi, respectively ) are 
called the cycle variables. 

An SO-cycle is called ambiguous, if for some i = 1, . . . ,n — 1, the term F or 
expandfti) contains more than one occurrence of Xi+i (orxi+i respectively), or 
tn or expandftn) contains more than one occurrence of Xi (or x\ respectively). 
The depth of a nonambiguous SO-cycle is the sum of the depths of Xi+i (or Xi+\) 
in ti for i = 1, . . . , n — 1 plus the depth if Xi (or xi) in t„ ( or expandftn) ). 
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A SO-cycle is standardized, iff the SO-cycle is of the form 



= yi,yi = X2(zi),X2(x2) = y2,V2 = X3{Z2), 

Xn{Xn) — yn,ly ^n,! — C^n,l [^ 71 , 2 ] , • • • , yn,k — Cn^k [2/n,fc+l] 1 2/n,fc+l — X\ 

A non-standardized SO-cycle L has j successive flat junctions iff there is a 
representation (perhaps revolving the SO-cycle) of L of the form 

=yi,yi = X2{zi),...,Xj{xj) =Vj,yj = Xj+i{zj),... 

The flat-length of a non-standardized SO-cycle is the maximal j, such that L 
has j successive flat junctions. 

Definition 6.2. Let T he an SCCUP. Let ~ be the equivalence relation on vari- 
ables in V ar{r) \ Ur which have empty SO-prefix generated by X ^ x if there 
is an equation X{y) = x in T. 

Let >- he the relation x y if there is an equation x = tGT,x^y and y 
occurs in t. 

Let be the quasi-ordering on variables generated by the transitive and 
reflexive closure o/)^ U Lf there are variables x,y with x >- y and y x, then 
we say T has a cycle conflict. 

If r has no cycle conflict, then an equivalence class K of ^ is called an 
SO-cluster. An SO-cluster K is called a top-cluster, iff the variables in K are 
maximal w.r.t. . The set of equations in T, where the context variables from 
a top-cluster K occur, is denoted as EQ{K), and the terms in the equations 
EQ{K) are denoted as EQT{K). 

A top-cluster K is called flat, iff it is also -minimal. 

Remark 6.3. The set K consists exactly of the first order variables in EQT{K) 
and the context variables X, such that X{y) occurs in EQT{K) for some y. If K 
is a top-cluster, then the only occurrences of variables from K are in EQT{K). 
If ifT is a flat top-cluster, then all terms in EQT{K) are of the form X{y) or x. 

In the following we write cycles and cluster instead of SO-cycles and SO- 
cluster. 

7 The Termination Ordering 

We give the termination measure adapted from [SS99b]. It follows from [SS99b] 
that every rule of CSCU strictly decreases this measure. The importance for 
the result in this paper is an upper estimation of the number of applications of 
cycle-rules. 

Definition 7.1. Let L he a cycle. The measure ’4>{L) is a lexicographic combi- 
nation of the following components: 



1. The length of L. 
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2. The length of L minus the flat-length of L. 



Definition 7.2. The (well-founded) measure fj, for termination, also written 
gL{r) is a lexicographic combination (/ii, . . . , /is) of the following well-founded 
measures: 

1. pLi: The number of context variables in T. 

2. /i 2 ." A measure for cycles: oo, if there is no cycle, otherwise, the minimal 
f){L) for all cycles in T. We use that oo > a for all a ^ oo. 

3. /is-' If there is an cycle or if there is no flat top-cluster, then oo. If there 
is a flat top-cluster, then the minimal number of context variables in a flat 
top-cluster. 

4 . PL 4 : The number of occurrences of function symbols in T{T). 

5. /is-' The number of equations in T{T). 

8 The Main Rules of CSCU 

8.1 Cycles 

The algorithm SCU from [SS99b] has 3 rules for the treatment of cycles: We 
only mention the required actions, since otherwise we have to copy the paper 
[SS99b] . The rules have to be applied to a shortest cycle. Let Xi,..., Xh be the 
context variables in the cycle. We assume that the cycle is of the form 



= yi,yi = X2(zi),X2(x2) = i/2,2/2 = -’^3(22), • ■ • , 

~ [ 2 /^, 2 ] , ■ ■ • ^Uj.k—i — Cj^}„[yj^k]iyj,k — • ■ ■ 

where Y = Xj 4 _i or j = h and Y = Xi. In all the rules below, if not (CV- 
elimination) is selected, we have to add the sharing equation U = Cj^i . . . Cj^k- 
The derailing has the obey the same conditions as in [SS99b]. 

Definition 8.1. Rule (Standardize- cycle): This rule can only be applied to a 
non- standardized cycle. 

1. (CV- elimination) Select some Xi and eliminate it. 

2. (partial-prefix) Let 0 < m < \U\. For alii = 1, . . . ,j, replace Xi by pow{U, 0, 
m){X'f) or by pow{U,0,m), where the replacement by pow{U,0,m) has to be 
selected at least once. 

3. (full-prefix) For all i = 1, . . . ,j, replace Xi by pow{U, 0, |C/|)(Ai'). 

4 . (derailing) Let 0 < m < \U\. For all i = 1, . . . ,j, replace Xi by pow{U,0,m) 

if (^i,l , ■ ■ • , , ■ ■ ■ ^ ^i,ar{f)')') • 



Definition 8.2. Rule (Solve-standardized-ambig-cycle): This rule can only be 
applied, if the cycle is standardized and ambiguous. 

1. (CV- elimination) Select some Xi and eliminate it. 
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2. (partial-prefix) Lett) <m< \U\. For all i = replace Xi by pow{U,0, 

m){X'fi) or by pow{U,0,m), where the replacement by pow{U,0,m) has to be 
selected at least once. 

3. (derailing) Let 0 < m < \U\. For all i = 1, . . . ,h, replace Xi by pow{U, 0, m) 

if (^i,l j • ■ • j 7 • ■ ■ 5 ^z,ar(/})) ■ 

Definition 8.3. Rule (Solve-standardized-cycle): This rule can only be applied, 
if the cycle is standardized and not ambiguous. 

1. (CV- elimination) Select some Xi and eliminate it. 

2. (partial-prefix) Let 0 < m < 2^’ * \U\. For all i = 1, . . . ,j, replace Xi by 
pow{U,Q,m){X() or by pow{U,0,m), where the replacement by pow{U,0,m) 
has to be selected at least once. 

3. (derailing) This selection requires that h> 1. Let 0 < m < 2^‘ * |C^|- For all 
i=l,...,h, replace X^ bypow{U,0,m){f{x^^i,...,X(,...,Xi^ar{f)))- 

After the application of the rules, decomposition has to be applied. The 
purpose of (decompose-pp), (remove-power), and (shift-power) is to mimic the 
decomposition effect of the algorithm SCU in [SS99b], however, using less space. 



8.2 Treatment of Clusters 

The main goal in this section is to describe the adapted rules for top-clusters, 
and to argue that they can be applied without increasing space usage. 

We assume that F is flattened, decomposed, and that there are no cycles. If 
one application of the transformation rules introduces a cycle, then the rules for 
cycle-elimination will then be applied until a context variable will be eliminated. 

Definition 8.4 (Non-fiat top-cluster). This rule is only applicable if there 
are no cycles, no flat top-clusters, but a non-flat top-cluster K. 

Let K = {xi, . . . ,Xhn Xi, . . . , A/j 2 } be a non- flat top-cluster. Then select one 
of the following two possibilities: 

1. (CV- elimination) This selection is only applicable, if KC\V 2 0- Select some 

Xi,i G [I../ 12 ] and instantiate it by Ld. 

2. (rigid-flexible) The equations in EQ{K) are of the form x = f{xi, . . . ,x„), 
X = X{y), or X = pow{U, ni,n 2 ){y). If there are different top function sym- 
bols of terms of the form /(•.•) or pow{. ..){.. .) in EQT{K), then Fail. 
Otherwise, let f be the unique top symbol of these terms in EQT{K). 

For every first order variable Xi G K, let the instantiation be f{xi^i , . . . , Xi^n), 
and for a context variable Xi G K, first select a position ki, and let the 
instantiation be Xi — >■ f{xi^\, . . . ,Xi^ki-i,X[,Xi^ki+i 7 ■ ■ ■ jXi^n)- The variables 
Xij will be fresh ones. 

Apply decomposition rules and flattening. 
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Definition 8.5 (fiat top-clusters). This rule is applicable if there are no cy- 
cles, but a flat top-cluster. 

Let K = {x \, . . . , Xh^ Xh^} be a flat top-cluster with a minimal num- 

ber /i 2 of context variables. The following selections are possible 

1. (CV- eliminate) Select some context variable in K and eliminate it. 

2. (flexible-flexible branching) This case requires \K\ > 1 and that the maximal 
arity of function symbols in the signature E is greater than 1. 

Let F be a new function symbol with 2 < ar{F) < \K\. For every context 
variable Xi G K, select an index 1 < ki < ar{F) and instantiate Xi{-) by 
F{xi^i, . . . , X [{-), . . . , Xi^ar(F))- There must be different selections of the index 

ki 

ki. For every first order variable Xi G K replace Xi by F{yi i, . . . ,yi^ar{F))> 
where Xij,yij, X) are new. 

Then decompose the equations that result from instantiating and flattening 
the equations in EQ{K). 



Proposition 8.6. The application of the rules for top-clusters does not increase 
the size usage. The intermediate use of space is 0(n). 

Proof. 1. First consider the rule for flat top-clusters. Assume selection 2 is cho- 
sen. The variables from K do only occur in the equations from EQT{K). 
Hence after the instantiation the equations can be decomposed. The only 
remaining equations are of the form x = X'(y), where X' is a freshly in- 
troduced context variable. Thus the number of equations remains the same, 
even the sum of their sizes is the same. 

2. The rule for non-flat top-cluster was applied. 

Assume, selection 2 is chosen. Then the equations in EQT{K) are instanti- 
ated, and after the application of decompose, the number of equations is the 
same or smaller. 

— An equation x = X{y) leaves one equation of the form x' = X'{y') 

— An equation x = f{xi, . . . , x„) leaves no equation at all, since the func- 
tion symbol / (F, respectively) is removed by decomposition, as well as 
all first order variables in K. 

— An equation x = pow{U,ni,n 2 ){y) either leaves Id, or an equation x' = 
pow{U,ni -T l,ri 2 )(y). 

Since the size of power expressions is defined as if ni is represented using 
the same space as ri 2 , there is no size increase. 

9 CSCU: Estimations 

The (non-deterministic) algorithm CSCU has as input a stratified context unifi- 
cation problem Fj without any power expressions. First, Fj is flattened in order 
to exploit sharing. Then apply the following repeatedly until a Fail is signalled 
or success is signalled for empty F : 
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1. If there is a cycle, then apply cycle-elimination 

2. If there is no cycle, then apply cluster-elimination. 

Let Dj be the size of Fj, and let #C'F := \Var 2 {Fi)\. 

Lemma 9.1. The rules for flattening make at most an 0{n) increase in size for 
the initial context unification problem. 

Unexpectedly, the numbers in power expressions will be responsible for a 
large contribution to the size requirements. Let Q be an upper bound for the 
size of power expressions. 

Lemma 9.2. The overall size increase by CSCU is 0{Q * Dj). 

Proof. The hard part are the cycle elimination rules: If a cycle S with h context 
variables is given, the cycle-elimination will be applied at most h^ times until the 
number of context variables is strictly reduced by one. Thus the overall number 
of applications of cycle-elimination is at most 0{ffCV^). 

The following holds: 

1. The number of occurrences of context variables is always < Dj. 

2. The number of occurrences of function symbols in T(F) is at most Dj. 

3. The number of occurrences of power expressions in T(T) is at most: (^occur- 
rences of context variables) *(#applications of cycle rules) -I- (^applications 
of (solve-standardized-cycle)), which is < ffDj * 0{ffCV^). i.e. 0{Df). 

4. The number of context sharing equations is at most the number of applica- 
tions of cycle-rules, i.e., 0{D^). 

5. The number of components in the right hand side of a context sharing equa- 
tion is bounded by the number of occurrences of function symbols and power 
expressions in T{F). This is of order 0{Dj). 

Now we can estimate the total size usage: 

— T{r): Dj for terms of the form f{x \, . . . , x„), 0{Q * Dj) for power expres- 
sions, and Dj for context variables. The number of first order variables is at 
most the number of equations. The size is of order 0{Q * Dj). 

— D{r). There are at most Dj right hand sides, and the size of the right hands 
is of order 0{Q * Dj). The size of D{T) is of order 0{Q * Dj) 

In summary, the order of space usage is 0{Q * Dj). 

We also have to check that there is no unexpected size explosion during the 
application of the rules. The only critical operation is computing the hd of power 
expressions, which can be done in the order of the size of right hand sides of 
context sharing equations, which is 0{Q * Dj). □ 

Lemma 9.3. The size Q of power- expressions in CSCU is of order 0(Dj) 

Proof. Enumerate the defined context variables as Ui in the sequence of their 
creation by the algorithm and define di := Dj * 2°*^^ * di_i where c = 2.14 
(see proposition 2.1). Using induction on i we see that \Ui\ < di for all i by 
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estimating right hand sides of the context sharing equations. Thus the upper 
bound is , since the number of context sharing equations is 0{D^). 

This is of order 0(2°*^^). In summary, this means, the size of power expressions 
is of order 0{Dj). □ 

Now we can state an upper bound on the complexity of the algorithm: 

Theorem 9.4. CSCU can he performed in polynomial space. 

Proof. The space usage is 0{D]^), which is polynomial. Furthermore, NPSPACE 
is contained in PSPACE. □ 

Corollary 9.5. Stratified context unification is in PSPACE. 

Corollary 9.6. Satisfiability of one-step rewrite constraints is in PSPACE. 

Note that the number of steps of the algorithm CSCU may be exponential. 
In retrospect, this result permits a worst case estimation of the size-complexity 
of the algorithm for stratified context unification in [SS99b]. First use replace- 
ment of first order variables. The result has an exponential number of power 
expressions. Since after exploding the power expressions the space requirement 
per power expression is doubly exponential, so the non optimized algorithm SCU 
in [SS99b] is likely to perform in doubly exponential space. 

10 Conclusion 

The paper shows that unifiability of stratified context unification problems can 
be decided in polynomial space, which is far better than the highly complex 
algorithm given in [SS99b]. The lower bound for stratified context unification is 
AfP-hard [SSS98], hence there remains a gap, which we leave for future research. 
Since context unification is equivalent to one-step rewrite constraints, the paper 
also shows PSPACE as an upper complexity bound for their decidability. 

The techniques in this paper may enable to show improved upper bounds for 
bounded second order unification [SS99a] as well as for D-unification [SS98]. 
The author conjectures that stratified context unification is in MV . 
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Abstract. We show how a well-known superposition-based inference 
system for first-order equational logic can be used almost directly as a 
decision procedure for various theories including lists, arrays, extensional 
arrays and combinations of them. We also give a superposition-based 
decision procedure for homomorphism. 

Keywords: Automated Deduction, Equational Logic, Term Rewriting, 
Superposition, Decision Procedures, Lists, Arrays with Extensionality, 
Homomorphism 



1 Introduction 

In verification with proof assistants (such as PVS, COQ, HOL, and Nqthm), 
decision procedures are typically used for eliminating trivial subgoals represented 
for instance as sequents modulo a background theory. These theories axiomatize 
standard data-types such as arrays, lists, bit-vectors and have proved to be 
quite useful for, e.g., hardware verification. Elimination of trivial sequents often 
reduces to the problem of proving the unsatisfiability of conjunctions 
of literals modulo a background theory T, which is the problem we shall 
consider here. 

The rewriting approach permits us the uniform design of decision proce- 
dures for eliminating these subgoals and also offers an efficient alternative to 
congruence closure techniques. This approach was inspired by Greg Nelson’s 
thesis [Nel81] where it is suggested to apply Knuth-Bendix completion to derive 
decision procedures. Here, instead of the Knuth-Bendix completion procedure, 
we apply a standard complete superposition-based inference system for clausal 
equational logic (given for instance in [NROl]). This allows us not only to handle 
pure equality but also several interesting axiomatic theories that were not han- 
dled previously that way such as lists, arrays, and extensional arrays. The proof 

* The authors would like to thank G. Ringeissen and L. Vigneron for their comments 
on a draft of this paper and the anonymous referees for helpful criticisms. 
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that the decision procedures are correct is straightforward w.r.t. other correct- 
ness proofs given in the literature (compare for instance our decision procedure 
for arrays with extensionality of Section 6 with [SDBLOl]). In our approach, 
combining theories is also immediate. As an illustration, we show how to decide 
a combination of lists and arrays. 

A second contribution of the paper is in the same spirit of applying Knuth- 
Bendix completion to derive a decision procedure for the theory of homomor- 
phism. This is the first decision procedure, to our knowledge, for this theory. 

Related work. For lack of space we only discuss results that are closely re- 
lated to ours. In previous work, the rewriting approach was mainly used for 
pure equality theories. For instance, [BTOO] focus on abstracting the control of 
congruence closure algorithms, in order to give a uniform presentation of sev- 
eral known algorithms. A recent extension to deal with equality modulo AC is 
presented in [BRTVOO]. 

In [NO80], Nelson and Oppen describe a decision procedure for the 
“quantifier-free theory of the LISP list structure”. The procedure is obtained 
as an extension of a congruence closure algorithm with a mechanism which aug- 
ments the graph by selected instances of the axioms of the theory. The proof 
of correctness is model theoretic and seems difficult to generalize. A discussion 
of the difficulties of deriving a general method to obtain decision procedures by 
extending congruence closure algorithms as well as a decision procedure for the 
theory of arrays (without extensionality) can be found in [Nel81]. This discussion 
has motivated our work. 

In [SDBLOl], the first decision procedure for an extensional theory of ar- 
rays is presented. The key ingredient is a modified congruence closure algorithm 
which is capable of handling (so called) partial equations. The correctness proof 
is rather complex and it takes the main part of the paper; it is model-theoretic 
and rather ad-hoc. In Section 6, we give a decision procedure for the same the- 
ory considered in [SDBLOl]. Our procedure is simpler to understand since it 
amounts to applying (almost directly) standard equality reasoning in contrast 
to handling partial equalities and our proof of correctness relies on basic prop- 
erties of skolemization. As a consequence, the decision procedure (as well as its 
correctness proof) for the theory of arrays with extensionality can be adapted 
to similar presentations for sets and multisets. 

Finally, we notice that we can easily derive decision procedures for com- 
binations of theories in a manner closely resembling the combination schema 
described in [N078]. This is exemplified for a combination of the theory of lists 
and arrays in Section 7. Furthermore, the decision procedures derived in our 
framework can be extended so to provide the interface functionalities needed for 
them to be plugged into the Nelson and Oppen combination schema [N078]. 

2 Preliminaries 

We assume the usual (first-order) syntactic notions of signature, {ground) term, 
position, substitution, replacement, rewrite relation — >■, as defined, e.g., in [DJ90]. 
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If 17 is a signature and X is a set of variables, then T{S, X) denotes the set 
of terms built out of the symbols in S and the variables in X. T{X) abbreviates 
T{S,%). 0-ary function symbols are called individual constants. Let I and r be 
elements of T{E, X), then / = r is a T{S, X)-equality and -•{I = r) (also written 
as ? yf r) is a T{X, X)-disequality. A T{S, X)-literal is either a T{E, A)-equality 
or a T{E, A)-disequality, i.e. an expression of the form s cxi t where txi is either = 
or yf. A T{S,X)-clause is a disjunction of literals, i.e. an expression of the form 
-lAi V • • • V -'An V i?i V • • • V Bm (abbreviated with Ai, . . . , A„ Bi,. . . , B^) 
where Ai, . . . , A„, Bi, . . . , Bm are T{E, A)-equalities (n > 0 and m > 0). We 
simply use the terms equality, disequality, literals, and clauses when T{S,X) is 
clear from the context. A flat equality is an equality of the form f{t \, . . . , tn) = to 
or to = f{t\, . . . ,tn) where / is an n-ary function symbol and ti is either a 
variable or an individual constant for i = 0, 1, . . . , n with n > 0. A distinction is 
a disequality ti yf ^ 2 , where ti is either a variable or an individual constant for 
z = 1,2. A flat literal is either a flat equality or a distinction. A flat clause is a 
disjunction of flat literals. 

We assume the usual (first-order) notions of interpretation, satisfiability, va- 
lidity, logical consequence (in symbols, ^), and theory (see, e.g., [End72]). Let 
S' be a set of ground literals, then we say that S is T-satisfiable (T -unsatisfiable) 
iff T U S is satisflable (unsatisfiable, resp.). All the theories we shall consider in 
this paper contain the quantifier-free theory of equality £. 

Example 1. Assume that the axiom of T is h{f{x,y)) = f{h{x),h{y)) (where 
X and y are implicitly universally quantified variables). We can show the T- 
unsatisflability of {h{c) = c', h{c') = c, /(c, c') = h{h{a)), f{c',c) = a, 
h{h{h{a))) yf a}. 

The satisfiability problem for a theory T amounts to establishing whether any 
given finite set of ground literals is T-satisflable or not. A decision procedure for 
T is any algorithm that solves the satisfiability problem for T. 

3 Our Approach 

In this paper, we propose a uniform approach based on superposition inference 
rules to build decision procedures for a variety of decidable theories. For all 
theories T, the first step is to flatten all the input literals. The soundness 
of this preprocessing step is ensured by the following fact. 

Lemma 1. Let T be a T{E,X)-theory and S be a finite set of T(E) -literals. 
Then there exists a finite set of flat T{E') -literals S' (where E' is obtained from 
E by adding a finite number of individual constants ) such that S' is T-satisfiable 
iff S is. 

Notice that flattening augments the size of the input set S of literals to 0{n), 
where n is the number of subterms in S. 

Example 2. The following set of flat literals can be derived from the previous 
example: {h{c) = c', h(c') = c, f{c,c') = C 2 , f{c',c) = a,h{a) = ci,h{ci) = 
C 2 , h{c 2 ) = Co, Co yf a}. 
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Table 1. Inference rules of SV 



Name 


Rule 


Applicability Conditions 


Superposition 


r => A, l[u'\ = r n => = V 


cr{u) ^ ^ (t(77 U U), 

cr(l\u']) 7 < cr(r), a(l\u'] = r) cr(_T U /i) 


cr[r,n ^ A,s,i[v] = r) 


Paramodulation 


F, l[u'\ = r => A U => = V 


cr{u) 2 < cr('^)) ^ (t(77 U U), 

a{l\u']) ^ cr(r), a{l\u'] = r) a{F U A) 


cr{l[v] =r,r,n ^ A,E) 


Reflection 


r, u' = U => A 
a(r => A) 


cr[u' = u) cr{r U A) 


Factoring 


r => A, u = t,,u' = t' 

cr(_r, t = t' A,u = F) 


cr{u) ^ — ^) 7^ 

a{{u' = F} U A) 



Table 2. Simplification rules of SV 



Name 


Rule 


Applicability Conditions 


Subsumption 


5U |C, C"\ 
SU{C} 


for some substitution 0(C) C C' , and there is no 
substitution p such that p(C) = C 


Simplification 


SU{C[l'\,l = r} 
SU{C[6»(r)],i = r} 


V = 9{l), e{l) >■ e{r), and C[e{l)] >■ {8(1) = 8{r)) 


Deletion 


su{r ^ A,t = tl 
5 





We will make use of a superposition calculus, SV, comprising the inference rules 
of Table 1 and the simplification rules of Table 2. SV is taken from [NROl]. It 
extends the system from [Rus91] by the equality factoring rule [BG94], so that 
more ordering restrictions are possible (in the non-Horn case). The relation 
is a reduction ordering [DJ90], which is total on ground terms. is extended to 
literals in the following way: (a ixi 6) (c cc d) if {a,b} {c, d}, where is 

the multiset extension of )^. Multisets of literals are compared using the multiset 
extension of on literals. 

An inference system including simplification rules is refutationally complete 
if any fair application of the rules to an unsatisfiable set of clauses will derive 
the empty clause. Fairness means that if some inference is possible it will be per- 
formed at some step unless one of the parent clauses gets simplified, subsumed, 
or deleted. The calculus SV is known to be refutationally complete for general 
first-order equational logic [BG94,NR01]. (Note that for Horn clauses Equality 
Factoring is useless [KR91].) In Table I the substitution cr is the most general 
unifier of u and u', and u' is not a variable in Superposition and Paramodulation. 
We shall write Factoring instead of Equality Factoring for conciseness. In this 
paper, a saturation of a set of clauses by SV is the final set of clauses generated 
by a fair derivation from S using rules in SV with higher priority given to the 
simplification rules. If the saturation terminates for the union of T and any set of 
ground flat literals then it is a decision procedure for T : if the final set of clauses 
contains the empty clause then the input set of literals is unsatisfiable; it is satis- 
fiable, otherwise. This is a direct consequence of the refutational completeness of 
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SV ■ From now on, we shall call SV any fair application of the inference system 
with priority given to the simplification rules. 

3.1 A Decision Procedure 

for the Quantifier- Flee Theory of Equality 

The following result says that SV can be used as a decision procedure for the 
quantifier-free theory of equality S} In fact, the decision procedure we obtain is 
just a variant of the Knuth-Bendix completion procedure (similar to the rational 
reconstruction of Nelson and Oppen’s congruence closure algorithm of [BTOO]). 
We shall assume now and in the remainder of this paper that the ordering is 
s.t. t c for each constant c and for each ground term t that contains a 
symbol of arity greater than 0. Note that it is easy to satisfy this requirement 
with a suitable precedence ordering. 

Lemma 2. Let S he a finite set of flat T{E) -literals. All the saturations of S 
by SV are finite. 

Proof. Note that Simplification is applicable whenever Superposition is. Hence 
Superposition is useless since Simplification has higher priority. Simplification 
and Paramodulation generate ground flat literals. Reflection generates the empty 
clause (which subsumes all other clauses). Since the number of possible ground 
flat literals is finite, it readily follows that all saturations are finite. □ 

Theorem 1. SV is a decision procedure for 6. 

Let n be the size of the input set of flattened literals. Each Simplification or 
Paramodulation replaces a subterm by a > — smaller constant (i.e. a term of type 
/(ci, . . . , c„) or c' by some c). Hence the maximal number of inference steps is 
equal to the number of subterms times the number of constants in E, i.e. O(n^). 
Since finding a Simplification or Paramodulation inference is polynomial, the 
whole saturation is polynomial. 

4 A Decision Procedure for the Theory of Lists 

Let Ec be a signature containing the function symbols car (unary), cdr (unary), 
and cons (binary), and let C be the theory obtained by adding the following two 
axioms, denoted with Ax{L), to £\ 

car(cons(x, y)) = cc (1) 

cdr(cons(a;,y)) = y. (2) 

For simplicity, C is only a sub-theory of the “LISP list structure” considered in 
[NO80]. However, a decision procedure for such a theory can be derived by pre- 
processing the set of ground literals using the technique of [NO80] to eliminate 
negative occurrences of the predicate recognizing atoms and by applying SV. 

^ We do not claim this result to be new; it is stated here only to give the flavor of our 
approach in the simple case of the pure equational theory. 
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Lemma 3. Let S be a finite set of flat T{Ec) -literals. The clauses occurring in 
the saturations of S \J Ax{L) by SV can only be the empty clause, ground flat 
literals, or the equalities in Ax{L). 

Proof. The proof is by induction on the length of the derivations. No inference 
between axioms in Ax{C) is possible. Thus, by inspection of the rules in SV, there 
are four cases to consider: (a) a SimpliGcation between a ground flat equality 
and a ground flat literal,^ (&) application of Reflection to a ground distinction, 
(c) a Superposition between an equality in Ax{L) and a ground flat equality of 
the form cons(ci,C 2 ) = C 3 (where Ci is an individual constant for i = 1,2,3), or 
{d) a Paramodulation from a ground flat equality into a ground distinction. It is 
straightforward to verify that in case (a) only ground flat literals are generated, 
in case (&) the empty clause is generated, in case (c) ground flat equalities are 
generated, and finally in case (d) ground distinctions are generated. □ 

Lemma 4. Let S be a finite set of flat T{Ec) -literals. All the saturations of 
S U Ax{C) by SV are finite. 

Proof. By Lemma 3, we know that the saturations of S' U Ax{C) by SV can 
only contain the empty clause or ground flat literals. It is trivial to see that only 
a finite number of flat literals can be built out of a finite set of symbols and 
variables. □ 

Theorem 2. SV is a decision procedure for L. 

Let n be the size of the input set of flattened literals. At most 0{n^) flat literals 
can be created by Superposition during saturation. The size of the current set of 
literals in a derivation is always bounded by a constant k which is 0{n^). Other 
inferences take polynomial time in k according to Section 3.1. Hence overall the 
decision procedure is polynomial. 

5 A Decision Procedure for the Theory of Arrays 

Let 27_4 be a signature containing the function symbols select (binary) and store 
(ternary), and let A be the theory obtained by adding the following two axioms, 
denoted by Ax{A), to S: 

select(store(a, z, e), f) = e (3) 

i ^ j select(store(a, z, e), j) = select(a,j) (4) 

(where a, i, j, and e are variables and (4) denotes i = j Vselect(store(o, z, e), j) = 
select(a, j)). We shall assume that the ordering is s.t. any term that con- 
tains select or store is )^-bigger than all gronnd terms not containing 
them; moreover, all non constant symbols are greater than the con- 
stant ones. Using an LPO ordering [DJ90], this can easily be ensured by a 
suitable precedence relation. 

^ Notice that Superposition can never apply to ground flat literals since Simplification 
has higher priority. 
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Lemma 5. Let S he a finite set of flat -literals. The clauses occurring in 

the saturations of S U Ax{A) by SV can only be: 

i) the empty clause; ii) the axioms in Ax{A); Hi) ground flat literals; 
iv) clauses of the form t txi t' V c\ = V • • • V c„ = cjj where ci, c^, . . . , c„, 

(n > 0) are individual constants and t t' is either a distinction between 
two individual constants or an equality between individual constants or terms 
of the form select(cj,z) (for some individual constants c and Ci); 
v) clauses of the form select(c, x) = select(c', a;) V ci = fci V • • • V c„ = where 
ki (for i = is either the variable x or is one among the individual 

constants c, c', Ci, , c„, c'^ (n > 0 ). 

Proof. The proof is by induction on the length of the derivations. The base case 
is simple and therefore omitted. By the induction hypothesis there are five types 
of clauses produced after n inference steps: i)~v). For inferences with Reflexion 
or Factoring on one clause the result is obvious. Deletion and Subsumption 
do not create new clauses. For the sake of brevity, let replacement be either a 
Superposition or Paramodulation step. Let us consider inference steps involving 
two clauses. There are several cases to consider according to the categories the 
clauses belong to: 

ii)-ii): A Superposition can be applied to the axioms in Ax (A) but it gen- 
erates the trivial clause i = i\/ select(a, i) = e which is immediately 
eliminated by Deletion. No new clause can be produced this way. 

ii) -iii): A Superposition from a flat equality into axiom (3) produces a ground 

flat equality, i.e. a clause of type Hi), whereas a Superposition into 
axiom (4) produces a clause of type v). 

iii) -iii): The only possible inference is Simplification or Paramodulation be- 

tween a ground flat equality and a ground flat literal. It produces 
only ground flat literals, i.e. a clause of type Hi). 

iii)-iv): A replacement produces a clause of type iv). 

iii) -v): A replacement produces a clause of type iv) or v). 

iv) -iv): A replacement produces a clause of type iv). 

iv) -v): A replacement produces a clause of type iv). 

v) -v): A replacement produces a clause of type iv) or v). 

There are no possible inference between axioms and clauses of type iv) or v). □ 

Lemma 6. Let S he a finite set of flat -literals. All the saturations of 

S U Ax{A) by SV are finite. 

The proof of this Lemma is analogous to that of Lemma 4 and therefore it is 
omitted. 

Theorem 3. SV is a decision procedure for A. 

k 

Let n be the size of the input set of flattened literals. At most 0(2” ) clauses 
can be generated by saturation for some k (in fact k = 2). Hence the decision 

k 

procedure takes time 0(2” ). 

Finally, it is worth noticing that the above decision procedure is similar to 
the algorithm described in [NelSl]. 
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6 A Decision Procedure for the Theory 
of Arrays with Extensionality 

Let be the many-sorted version of the theory A of Section 5, i.e. the many- 
sorted theory with sorts elem, index, and array, with function symbols store 
and select of type array, index, elem — >• array and array, index — 
ELEM respectively, and with the sorted version of (3) and (4) as axioms. 
(Notice that the use of sorts allows us to avoid problematic terms such as 
store(a,store(a,i,e),select(a,store(a,i,e))).) Let A® be the many-sorted theory 
of arrays with extensionality obtained from A® by extending the set of axioms 
with 



Vi.(select(a, i) = select(6, i)) ^ a=h (5) 

where a and b are variables of sort array and i is a variable of sort index 
(by abuse of notation, (5) denotes its clausal form). denotes a signature 
containing the function symbols select, store, and a finite set of function symbols 
s.t. if / is a function symbol of type - s„ distinct from 

select and store, then Si is either index or elem, for all i = 0, 1 , ...,n and 
n > 1. Furthermore, we assume that admits at least one ground term for 
each sort, i.e. it is a sensible signature. Finally, let Aa;(A®) and Ax(A®) be the 
set of axioms of A® and of A®, respectively. 

Lemma 7. Let S he a set of T{S_Ae) -literals and let S' be obtained from S by 
replacing all the inequalities of the form t ^ t' with 3i.select(t, f) yf select(t', i), 
where t and t' are terms of sort array. Then S is Al-satisfiable iff S' is A®- 
satisfiable. 

Proof. We must show that S' U A® is satisfiable iff S' U A® is or, equivalently, 
that S U Ax(A®) is satisfiable iff S' U Ax(A®) is. The ‘only if’ case is easy. 
For the ‘if’ case, let I be a (many-sorted) model of S' U Ax(A®). We define 
the binary relation ~ over ARRAY-^ to hold whenever se\ect^ (a,i) = select^(&, f) 
for all i € INDEX^, and we define ~ over the index^ and elem-^ to be the 
identity relation. We now show that ~ is a L'_ 4 s-congruence. It is clearly an 
equivalence. To prove that ~ is a congruence it remains to show that if a ~ 6, 
then store'^(a, i, e) ~ store^(6, t, e) for all i € index-^ and e € elem^.^ Let us 
assume that a b but store'^(a, i, e) 7 ^ store'^(6, z, e) for some i G index^ and 
e G ELEM-^, i.e. that select^ (store-^ (a, z, e), fc) yf select^ (store-^ (6, z, e), fc) for some 
i,k & INDEX^ and e G elem^. There are two cases to consider. If fc = z then, since 
/ is a model of (3), we can conclude that e yf e, a contradiction. Otherwise (i.e. if 
fc yf z), since / is a model of (4), we can conclude that select^ (a, k) yf select^ (6, k). 
This is in contradiction with the assumption a ~ To conclude the proof, it is 
sufficient to check that /' = // ~ is a model of S' U Aa;(A®). □ 

® The case for select trivially follows from the definition of ~. For a function sym- 
bol in distinct from select and store, congruence immediately follows from the 
definition of ~ and the properties of identity. 
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Lemma 8. Let S he a conjunction of ground literals, then S is -satisfiable iff 
it is A-satisfiable. 

The following theorem is the key of our reduction mechanism. 

Theorem 4. Let S he a set of -literals and let S' be obtained from 

S by replacing all the inequalities of the form t t' with se\ect{t, sk{t,t')) 
se\ect {t' , sk{t,t')) , where t and t' are terms of sort array, and sk is a Skolem 
function of type array, array — > index. Then S is A'^- satis fable iff S' is 
A-satisfiable. 

Proof. The Theorem readily follows from Lemma 7, Lemma 8, and basic prop- 
erties of skolemization. □ 

A decision procedure for the theory of arrays with extensionality Al 

is as follows. Given as input a finite set S of T(i7^<i)-literals, the procedure first 
replaces every occurrence of literals of the form t t' with se\ect{t, sk{t,t')) fi- 
se\ect{t' , sk{t,t')), where t and t' are terms of sort array, and sk is a Skolem 
function of type array, array — ^ index. Then, it feeds the resulting set of 
literals to the decision procedure for A described in Section 5. 

It is worth noticing that our decision procedure can be straightforwardly 
generalized to multi-dimensional arrays if we view them as arrays of arrays. 

The worst-case time of the decision procedure for A® is that of the procedure 

k 

for A, i.e. 0(2" ) for a fixed natural number k, since the size of the set of input 
literals obtained by the pre-processing step described above is 0(n). 

7 Combining Decision Procedures for Lists and Arrays 

To emphasize the flexibility of our approach, we show how easy it is to combine 
the decision procedures for the theories of lists and arrays. Let Eu be a signature 
containing the function symbols select (binary), store (ternary), car (unary), cdr 
(unary), and cons (binary). Let Ax{U) be the set of axioms obtained as the union 
of Ax{A), Ax{C), and S. Furthermore, we shall assume that the simplification 
ordering (total on ground terms) satisfies the requirements of Section 5. 

Lemma 9. Let S he a finite set of ground flat T{Eu) -literals. The clauses occur- 
ring in the saturations of S U Ax{U) by SV can only be of the type i) , Hi) , iv) , v) 
given in Lemma 5, of the types given in Lemma 3, or elements of Ax{U). 

Proof. Every Superposition or Paramodulation between axioms in AxifA) gen- 
erate a clause that can be deleted. Hence the proof is as that of Lemma 3 and 
Lemma 5. □ 

Lemma 10. Let S be a finite set of ground flat T{Eu) -literals. All the satura- 
tions of S U Ax{U) by SV are finite. 

The proof of this Lemma is analogous to that of Lemma 4. 

Theorem 5. SV is a decision procedure for U. 
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8 A Decision Procedure 

for the Theory of Homomorphism 

In this Section, we present an adaptation of the Knuth-Bendix completion pro- 
cedure [KB70] to work modulo the theory of homomorphism. The completion 
process always terminates for ground equations and gives a decision procedure 
for this theory.^ 

Let S-H be a signature containing the unary function symbol h and let % be 
the theory obtained by adding instances of the following axiom schema, denoted 
with Ax{'H), to S: 



h(/(xi,...,x„)) = /(h(xi),...,h(a;„)) (6) 

where / is any n-ary function symbol (n > 0) in a subset S' of S-u \ {h}. We 
want to decide the "H-unsatisfiability of the set of ground literals t/’. 

Example 3. {h(c) = c',h(c') = c, /(c, c') = h(h(a)), h(h(h(a))) yf a, f{c',c) = a} 
is "H-unsatisfiable. 

By Lemma 1, we can assume that 'tp is a set of flat literals. Our decision procedure 
consists of two steps. First, we complete the set of ground equalities in ip modulo 
"H in order to get a rewrite system R. Second, for each inequality s t in ip, we 
compute the normal form s of s and the normal form t oi t (w.r.t. R). 
Then, if there exists an inequality s' ^ t' in ip s.t. s' Ir is identical to t' Ir, ip 
is "H-unsatisflable; otherwise, ip is "H-satisflable. 

8.1 Orientation 

We introduce an ordering over ground terms which allows us to orient equalities 
as rewrite rules in such a way that a superposition between a ground equality 
and an equality in Ax{Ti) can only generate a ground equality. 

We first define a weight function on the symbols in S-^, denoted with [e] 
where e is in S-u'- [c] = 1, for each constant symbol c in S-u', [h] = 0; and [/] = 1, 
for / in Sy-i s.t. / is not a constant and / is not h. The weight of a ground term 
t, denoted with [t], is the sum of the weight of the symbols (of S-u) occurring 
in it. Then, we consider a total precedence on symbols s.t. h c, for all 

constant symbol c and all non constant symbol / distinct from h of S-^. In the 
following /°(t) stands for t and f"{t) abbreviates /(/"~^(t)) for n > 1, where / 
is a unary function symbol and t is any term. The ordering on ground terms we 
shall use is defined as follows (similarly to the Knuth-Bendix ordering [KB70]): 
s t iff 



^ Note that the word problem for ground Associative-Commutative (AC) theories 
is decidable [NR91] but for ground AC-|-Distributivity is undecidable [Mar92]. 
A direct modification of the proof of this last result would show that ground 
AC+Homomorphism is undecidable too. 
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1 . 

2 . 



[s] > [t] or 

[s] = [f], s is of the form /(si, . . . , Sm), t is of the form g(ti, . . . ,tn), and one 
of the following condition holds: 

2 . 1 . f^g 

2.2. / = 5 , m = n and {si, . . . , Sm) lexih, . . . ,tm) (where lex denotes 
the lexicographic extension of 



Lemma 11. The relation >- is transitive, irreflexive, and monotonic (i.e. s >- t 
implies /(..., t, ...), where f is in Su)- Furthermore, >- is well- 

founded and it satisfies: 

— /(ci,...,c„) h*(c„+i) for all i > 0, all f that are not constants and are 

different from h, 

— h{f{xi,...,Xn)) >- f{^{xi), h{xn)) for all ground terms Xi (i = 
and 

— h*(c) h-’(c') for all i > j and for all constants c,c' in Su- 

Proof. The lemma is proved in exactly the same way as for the Knuth-Bendix 
ordering [KB70]. 

We denote by ^ r the rule obtained by orienting an equality I = r when I >- r. 
Given a rewrite system R, We shall sometimes write s fn t to express that t is 
the normal form of s by i?. 



8.2 Computation of Critical Pairs 

Now, we are in the position to orient the equalities in if by means of the ordering 

defined in Section 8.1 and to perform a completion on the resulting set of 
rewrite rules using superposition rules. Unfortunately, with a naive approach, 
the number of rules generated by completion would be infinite. For instance, 
from h(c) = c, /(c, c') = c, and Ax{'H) we can generate /(c, h”(c')) = c for 
n > 0. To cope with this problem, we will consider any rewrite rule r as a rule 
scheme (denoted Gen(r, R) or Genfr) and defined below) and we compute all 
superpositions between instances of two rule schemes in one step by using a 
special purpose inference rule (cf. Homomorphism rule below) . 

Some preliminary definitions and lemmas are mandatory. We define an /- 
term as a term with / as root symbol and for which the only other non-constant 
function symbol is h, where / can be any symbol in S-u (in particular, / can 
possibly be h). We define an f-rule as a rewrite rule with an /-term as left- 
hand side and an h-term or a constant symbol as right-hand side. For instance 
/(c, h^c')) is an /-term and /(c, h^(c')) = h^(c) or /(c, h^(c')) = c is an /-rules. 
Examples of h-rules are h^(c') = c or h^(c') = h(c). 

In the following, let i?h be a convergent set of h-rules. We recall that S' is 
the subset of \ {h} such that if / of arity n is in S' , then \n{f{xi , . . . , x„)) = 
/(h(a:i), . . . , h(a;„)) is in Ax{R). 
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Lemma 12. The set Rh U {h(/(xi, . . . , a;„)) = /(h(a;i), . . . , h(a:„)) | / € S'} is 
convergent (we shall denote it by H ). 

Lemma 13. Given constants c, c' and two h -terms h^{c), h''{c'), the set {n \ n € 
N, such that h”(W(c)) — /i*(c')} is linear i.e. the union of a finite set of 
nonnegative integers and a finite set of arithmetic sequences. We denote it by 
P / 

Proof. We may consider unary terms as words (for instance h-'(c) as h^c). Note 
that the set of ancestors {ru|u; — w'} of a term w' by Ru can be effectively 
described by a context-free grammar. The set of h-terms with constant c is 
obviously regular. Hence the set of h"h^c that reduces to h*c' is the intersection 
of a regular language h*h^c with a context-free language and therefore context- 
free. The set of lengths of words of a context-free language is linear.^ □ 

Let J be the set of constants that do not occur in a left-hand side of i?h- If 
c ^ J we say that c is bounded (in Rf). 

Lemma 14. Given an h-term h^(c) and two constants c, c' s.t. d is not bounded, 
the set {i I 3n G N, h”(h^ (c)) h*(c')} is an interval [m, oo] denoted by 

P / 

Proof. Note that h*(c') is i?h -irreducible. If there exists u,v with h’^(h-’(c)) 
h“(c') then for all g G N we have h“+®(h^(c)) ~^r^ h"+®(c'). □ 

Given an f-rule r : f(ti, . . . , tn) -G- we define h”(r) to be the rule 

(h”(/(ti, . . . ,t„)) ^ (h”(tn+i) iflhUff)- By the convergence of i?h U 

this is well defined. 

Definition 1. For f G S', we define Gen{r,R[,) as the set {h”(r) }r,^uh \ n G 
N} where r denotes any f-rule f(ti, . . . ,tn) — >■ t„+i. For f ^ S' we define 
Gen{r, Rh) = {r}. We shall omit the argument Rh in Gen when it is clear from 
the context. 

Now, we derive a finite description for Gen{r, Rh). We first classify the elements 
in Gen{r) according to their bounded arguments. More specifically we introduce 
the equivalence relation ~ on /-rules in Gen(r): 

Definition 2. Given two normalized (by Rh) rules ri : /(h*i (ci), ..., h^" (c„)) — >■ 
(c„+i) and : /(h^^ (di), . . . , h-1" (d„)) — >■ (d„_|_i) and such that r\,r 2 G 

Gen{r), we have r\ ~ T 2 iff for all k, Ck = dk and for all Ck ^ J, h = jk- 

For instance if Rh = {h(c) — >■ c} then (f;(h^(c'), c) = h^(c')) ~ (g(h^(c'),c) = 
h^(c')). We have the following simple lemma: 

Lemma 15. The equivalence ~ defined on Gen{r) has finite index (i.e. the num- 
ber of classes is finite). 

For details, see ex. 6.8 at page 142 of [UAH74]. 



5 
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Proof. Simple and therefore omitted. 

We are now in the position to give a finite representation for the equivalence 
class of a rule r' in Gen{r) 

Definition 3 . Let r he an f-rule r : /(h^i(ci), . . . , h*"(c„)) = h*"+i(c„+i) and 
r' : = h^"+^{dn+i). Then, we define Cry = {?'” G 

Gen{r) \ r' ~ r”}. 

Let us compute Cry more explicitly. We introduce 

Pry = i Pi n ( Q Plm,Cm,-,dm) 

l<m<n + l l<m<n + l 

dm G J dm 0 J 

Let Pry be the minimal element of Pry - Note that Pry is computable since it 
can be defined by a formula of Presburger arithmetic: 

Pr,r'{d^) (V y Pr,r'{y) ^ 'Ti V) 

We denote by n{p,l,c,d) the natural number n (when it exists) such that 
hP(h'(c)) h"(d). Then 

Cry = { /(h*H<^i): • • • 1 h*"(dn)) = h*"+i(d„+i) | for 1 < m < n + 1 
tm = jm ii dm ^ J and 

tm — P Pr,r' ~f n(^Pr,r^ 5 i"m 5 Om , dm') if dm ^ d where p ^ Pr^r' } 

We define the size of an h-rule h“(6) — >■ h°(d) to be a + c. By reduction to 
Presburger arithmetic, we can prove the following fact. 

Lemma 16 . Given two f -rules ri,r2, the minimal non-trivial critical pairs be- 
tween rules in Gen{ri) and Gen{r2), are computable. 

8.3 Completion Procedure 

We now give the three inference rules defining the binary transition relation 
over sets of equalities (denoted with h), which models our completion procedure 
(modulo TL). The first is the Deletion rule of Table 2. The second is the SimpliG- 
cation rule, obtained as an instance for unit clauses of the Simplification rule of 
Table 2 (i.e. if U{?[s] = r, s = t} \~ E\j{l[t] = r,s = t}, if l[s] >- r and s t). The 
third is a special purpose inference which allows us to take into account finitely 
many selected instances of the axioms in Ax{TL) which suffices for correctness. 

Homomorphism : E U {ri, r2} h if U {ri, r2, hi, . . . ,hk} 

where the rt are /-rules and the hj are the minimal critical pairs of Gen{r\, Ru) 
and Gen{r2, Rh)- We recall that by Lemma 1, we assume that the initial set of 
rules is flat , which means by definition that the arguments of the non-constant 
symbols are constants. 
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Lemma 17. When initially given a set of flat rules, inference rules Simplifica- 
tion and Homomorphism only generate equations of type /(h*i(ci), h*"(c„)) = 
h*"+i(c„+i) or of type h*(c) = h*'(c'). 

Theorem 6. Completion with priority given to rule Simplification always ter- 
minates. 

Proof. Note that any sequence of Simplification applications always terminates. 
Let Eq, El, E 2 . . . be an infinite derivation such that Ei is the result of ap- 
plying Homomorphism to i?i_i followed by a maximal sequence of Simplifi- 
cation applications. We assume that the set of constants is {ci,...,Cfc}. Let 
Mj = be the exponents of h in the h-rules of Ej. That is, if there 

is a rule in Ej with left-hand side h’”(ci) then ml = to. Note that there are no 
two rules of this type for the same constant Cj (otherwise one simplifies another) 
and therefore the vector Mj is well-defined. When no rule exists we put 00 as a 
coordinate with n < 00 for all integers. 

The component-wise ordering on vectors Mj is well-founded and we always 
have Mj < Mj-i. Hence after some finite number of steps the left-hand sides 
of h-rules remain the same. Also the right-hand sides of rules may be simplified 
but only finitely many time (the reduction relation is well-founded too) Finally 
after some finite number of steps the set of h-rules is constant. Note also that 
this subset of rules is canonical. We shall denote it by Rh . In particular at most 
one rule applies to an h-term h"(c). 

Homomorphism generates only h-rules. Hence after a finite number of steps, 
say K, it will not produce any new rule. Note that the arguments of left-hand 
sides of /-rules are of type h*(cj) with i < Miflj) when Cj is bounded. □ 

Theorem 7. Let E be the final finite set of rules obtained by the terminating 
completion procedure above. Let Ru be the final set o/h rules in E. Then, EUH 
is convergent where E is the union of all sets Gen{r, R\,) for all r in E. 

Corollary 1. Given a set of ground equations Eq, and the set E derived from 
Eg by completion then EoUH\=a = bifl’ a b 

9 Conclusions and Future Work 

We have shown how to apply a generic inference system to derive decision pro- 
cedures for the theories of lists, arrays, arrays with extensionality, and combina- 
tions of them. A decision procedure (based on superposition) for the theory of 
homomorphism has been presented for the first time. 

We envisage two main directions for future research. Firstly, our approach 
might be extended using different automated deduction techniques from e.g. 
[CP95,Lei90]. Secondly, we want to investigate possible cross- fertilizations with 
techniques used in heuristic theorem provers to effectively incorporating decision 
procedures, see e.g. [AROl]. 
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Abstract. A categorical four-rule deduction system for equational log- 
ics is presented. We show that under reasonable finiteness requirements 
this system is complete with respect to equational satisfaction abstracted 
as injectivity. The generality of the presented framework allows one to 
derive conditional equations as well at no extra cost. In fact, our deduc- 
tion system is also complete for conditional equations, a new result at 
the author’s knowledge. 



1 Introduction 

Equational logic has advantages that give it a special place in computer science: 
is easily machanizable, is expressive, has simple semantic models, has complete 
deduction. It is supported by many known specification and verification systems, 
such as those in the OBJ family [13,5,8,9]. Its expressivity is probably best 
reflected by the fact that any computable data type can be characterized by 
means of a finite equational specification [3]. Its models are just algebras, which 
are very simple and intuitive structures. We suggest [11, 22] for an introduction 
to many-sorted equational logics and its completeness. 

There is a plethora of variants and generalizations of equational logics, rang- 
ing from unsorted [4] to partial [23], order sorted [12,28], and hidden [10,24] 
equational logics. Categorical generalizations allowed proving common results, 
such as variety and quasi- variety theorems, only once [2,21,25]. These categori- 
cal approaches abstract equational satisfaction by injectivity, which turn out to 
be equivalent concepts in concrete situations. Local equational logic [6] allows 
deduction to be done in any model, not only in the initial model. This was the 
basis of category-based equational logic [7] and of the present paper. 

In this paper we take the categorical view of an equation as an epimorphism 
and show that there is a categorical deduction system at that abstract level, 
and that that deduction system is in fact complete under appropriate finiteness 
requirements. Since both unconditional and conditional equations can be viewed 
as epimorphisms, our deduction system can derive conditional equations as well 
and it is also complete for them. We are not aware of any similar result for 
any equational paradigm in the literature. Since our first class objects are the 
epimorphisms, there is a high chance that our results find applications in other 
fields as well, such as topology. 
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The paper is structured as follows: Section 2 reminds the reader a few less fre- 
quently used categorical concepts and introduces our notations and conventions. 
Section 3 revise factorization systems and then Section 4 shows how equations, 
both unconditional and conditional, are equivalent to surjective morphisms when 
satisfaction is replaced by injectivity. Section 5 gives the categorical deduction 
rules and their completeness, and then the last section presents some challenges 
for further research. 

Acknowledgments: This work started at the University of Bucharest under the 
supervision of Virgil Emil Cazanescu and Sergiu Rudeanu. Frequent discussions 
with Joseph Goguen were not only very productive, but they actually motivated 
writing this paper. Debates with Razvan Diaconescu on relationships between 
the present approach and his category-based equational logic have led to the 
finiteness condition that is needed to prove the completeness. Thank you! 

2 Preliminaries 

The language of this paper is category theory and the reader is assumed familiar 
with basic concepts of both category theory and equational logics. The purpose 
of this section is to introduce our notations and conventions rather than to 
redefine known concepts, though some less frequent notions will be reminded. 
We suggest the books by MacLane [18] and by Herrlich and Strecker [15] for more 
detail on category theory. |C| is the class of objects of a category C. By abuse, we 
often use set-theoretic notation, such as P G \C\. The composition of morphisms 
is written in diagrammatic order, that is, if / : A ^ B and g : B ^ C then 
f',g. A — >■ (7. If the source or the target of a morphism is not important in a 
certain context, then we replace it by a bullet to avoid inventing new letters; for 
example, / : A — >■ •. In situations where there are more than one such object, 
these objects may be different. 

Given a class of morphisms £ ia a category C, an object P G |C| is called 
f-projective if and only if for any e : • — A in f and any h: P — >■ A, there is a 
g such that g;e = h. Dually, / is £l-injective if and only if for any e : A — • and 
any h: A — >■ /, there is a g such that e; g = h. C is called f-co-well-powered if 
and only if for any A € |C| and any class T> of morphisms in £ of source A, there 
is a set T>' <G T> such that each morphism in T> is isomorphic to some morphism 
in V . We often call V a representative set of T>. There is a dual notion of 
well-poweredness but it is not needed in this paper. Unless otherwise specified, 
by colimit we mean small colimit, that is, colimit of a diagram whose nodes and 
arrows form a set. 

If A is an object in a category £, then X \, £ is the comma category containing 
morphisms e, e^,...: A -G • in £ as objects and morphisms h G £ such that 
e; h = e' as morphisms. Notice that if £ contains only epimorphisms than there 
is at most one morphism between any two objects in X \, £. 

A nonempty partially ordered set (I, <) is called directed provided that each 
pair of elements has an upper bound. A directed colimit in a category /C is a 
colimit of a diagram D ■. (I, <) — >• /C, where (I, <) is a directed poset (regarded 
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as a category). An object AT of a category /C is called finitely presentable 
provided that its hom-functor Hom{K,_) : K. — >■ Set preserves directed colim- 
its. It is easy to see that K is finitely presentable iff for each directed colimit 
({ 7 i : D{i) -)> C}i^\x\ , C) and each morphism / : K ^ C, there is an i G \X\ and 
a unique morphism fi\ K ^ D{i) such that fi; 74 = /. 



3 Factorization Systems 



At the author’s knowledge, the first formal definition of a factorization sys- 
tem of a category was given by Herrlich and Strecker^ [15] in 1973, and a first 
comprehensive study of factorization systems containing different equivalent def- 
initions was done by Nemeti [20] in 1982. However, the idea to form subobjects 
by factoring each morphism / as e; m, where e is an epimorphism and m is a 
monomorphism, seems to go back to Grothendieck [14] in 1957, and was inten- 
sively used by Isbell [16], Lambek [17], Mitchell [19], and many others. At our 
knowledge, Lambek was the first to explicitly state and prove a diagonal-fill-in 
lemma in 1966 [17]. 

Definition 1. A factorization system of a category C is a pair {S,M), s.t.: 

— £ and A4 are subcategories of epics and monies, respectively, in C, 

— all isomorphisms in C are both in £ and M., and 

— every morphism f in C can be factored as e; m with e € £ and m € A4 
“uniquely up to isomorphism” , that is, if f = e';m' is another factorization 
of f then there is a unique isomorphism a such that e;a = e' and a; m' = m. 



e ^ \ m 

^f\ 

• • 






The following is one of the most important property of factorization systems, 
often used as equivalent definition: 

Lemma 1. Diagonal-fill: If f;m = e;g then there is a “unique up to isomor- 
phism” h € C such that e;h = f and h;m = g: 



e 




m 



We have localized the use of factorization systems in this paper to only the 
following simple property which is crucial for the completeness result. Since we 
are not aware of any proof in the literature, we sketch one next: 

^ They called it {£ , M) -factorizable category. 
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Proposition 1 . If X G \C\ and C has colimits then X f S has colimits. 

Proof. Let V he & diagram va X f £ having as nodes the set {cj : X ^ •}ieh 
and let T> be the diagram in C obtained by “flattening” T>, that is, by merging 
both the objects and the arrows of V. Let ({7 i}ie/, be a colimit of V in C. 
Then we claim that ({yijjg/, Xx>) can be organized as a colimit oiP in X f £. 
The only interesting thing to show is that the morphism h = e^ji (which is the 
same for all i G I) is in £, which follows by the diagonal-fill lemma: Factor h as 
Ch', nih. Then for any i G I there is some j3i such that ei](3i = Ch and (3^ mu = 7i, 
that is, {A}ig/ is a cocone for T>, so there is a unique g such that 7^; g = Pi for 
all i G I. Then g; mu = Ixu, so mt is an isomorphism. 

When C is additionally f-co-well-powered, colimits in X f £ exist even for 
large diagrams V whose nodes form a class: one takes the colimit of a set T>' CT> 
with the property that each e G \T>\ is isomorphic to some e' G IP'I. 

Definition 2 . ({7i}ig/, cd : X — >• Xxi) denotes the colimit ofVCXf£. 

4 Equational Satisfaction as Injectivity 

As advocated by Bannaschewski and Herrlich [2], and by Andreka, Nemeti and 
Sain [1,21] among many others^, satisfaction of equations is equivalent to in- 
jectivity. It is often more convenient to work with sets of equations than with 
individual equations. For example, Craig interpolation doesn’t hold for individ- 
ual equations but it holds for sets of equations [27] (see [26] for a categorical 
approach). In our present framework, it is most convenient to view the equa- 
tions as finite or infinite sets of pairs of terms quantified over the same variables, 
for example (VA) ti = t'ip 2 = t' 2 ,.... If the number of terms is finite then we 
informally call the equation finite. 

Consider that C is the category of universal or many-sorted A-algebras over 
a (many-sorted) signature X. Each equation (VA) t\ = t\,t2 = t'2,... generates 
a congruence relation on the term algebra Tx:{X) over variables in A, which 
implicitly gives a surjective morphism e : Tx'(A) -G •. It can be readily seen that 
an algebra A satisfies (VA) ti = t'i,t2 = t'2, ... if and only if it is {e}-injective. 
Conversely, each surjective morphism e: Ts{X) — • of free algebra source 
generates a potentially infinite equation (VA) Ker{e). It can also be readily seen 
that an algebra is {e}-injective if and only if it satisfies (VA) Ker{e). Therefore, 
satisfaction of equations and l7-injectivity where 12 contains morphisms with 
free sources, are equivalent concepts. It is often technically easier to abstract 
freeness by projectivity (any free algebra is projective; see [25] for conditions 
under which free objects are projective). 

What is less known is that satisfaction of conditional equations is also equiv- 
alent to I2-injectivity, but this time f2 can contain epimorphisms of non-free 
sources. To be more precise, let us consider the following conditional equation: 

(VA) ti = t'ip 2 = t'2, ■■■ if = u'i,U 2 = u'2, ... 

^ See also [25] for an approach based on inclusion systems. 
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Let Q be the quotient T(X)/{(mi, m'^), (m 2 , ■■•} and let e: Q — • be the 

canonical surjective morphism generated by the pairs ([ti], ([^ 2 ], [ty), on^ 

Q. Then one can relatively easily see that an algebra A satisfies the conditional 
equation if and only if it is {e}-injective. Conversely, let e : Q ^ •he any surjec- 
tive morphism and let eg : Ts{Q) — >■ Q be the unique extension of Ig : Q ^ Q 
viewed as function to a morphism, where Ts{Q) is the free algebra over Q re- 
garded as a set of variables. In other words, eg is the co-unit of the free algebra 
adjunction. If one considers now the equation 

(VQ) Ker(eg;e) if iLer(eg) 

then one can verify that an algebra A satisfies it if and only if A is {e}-injective. 
Ker{eQ] e) and Ker^eq) can be replaced by sets of generators for the kernels 
of the two morphisms. Therefore, satisfaction of conditional equations is also 
equivalent to injectivity. 

In [25], it is shown that the difference wrt injectivity between epimorphisms 
of free or projective source and epimorphisms of any source is exactly as the 
difference wrt satisfaction between unconditional and conditional equations, that 
is, the first ones define varieties while the second define quasi-varieties. 

The disadvantage to regard equations as epimorphisms e : Q — • is that 
their kernel may not be finitely generated, so complete deduction systems do not 
seem to exist anymore. However, in the rest of the paper we give a categorical 
deduction system for epimorphisms e : Q ^ • and show that it is complete 
for e under reasonable finiteness requirements on e. The following simple but 
important result gives intuition for further notions, where £ is the category of 
surjective morphisms of C: 

Proposition 2. e is finitely presentable in Q f £ iff Ker{e) is finitely generated. 

5 Complete Categorical Deduction 

In this section we first give an inference system and then we show it sound for any 
epimorphisms, but complete only for finite epimorphisms. To make our results 
as general as possible we choose to work in an abstract, categorical framework: 

Framework: A category C that 

— admits a factorization system (£,A4), 

— is f-co-wel I- powered, 

— has colimits. 

The category C can be thought of as the category of algebras over a given signa- 
ture. We think that this framework is general enough to contain all equational 
approaches, but of course, it is not limited to only those; for example, one can 
consider C as the category of topological spaces. However, having in mind the 
previous section, we often abuse and call the epimorphisms in £ equations. We 
next define satisfaction in this framework as injectivity: 

[t] is the equivalence class of t in Q. 



3 
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Definition 3. Given an object A inC and e : X ^ • in E, then A satisfies e if 
and only if A is {e} -injective. As usual, we write A\= e and extend it to E \= e 
for any class of equations E. 



5.1 Inference Rules 

The following introduces four rules by which one can derive epimorphisms in £. 
If not explicitly stated otherwise, from now in the paper consider that if C £1 is a 
class of equations with f-projective sources and that e : ft — • is any equation 
(its source is not required to be projective). We often use the same letter e for 
the equations in E, mentioning that there is no confusion because those have 
f-projective sources denoted by P. The projectivity condition is not needed for 
the soundness, but for simplicity we prefer to add it here. 

Definition 4. E \- e denotes the derivation relation generated by the rules: 

Identity: 



Union: 



Restriction: 



if-Pushout: 



For a better intuition wrt the more traditional equational logics, one could 
imagine that X is the set of variables (seen as a free algebra) while the pair(s) of 
terms over those variables correspond to the kernel of the derived epimorphism. 
In this light. Identity corresponds to reflexivity. Union to symmetry, transitivity 
and congruence, while if-pushout corresponds to substitution. Notice that Union 
actually grows the set of “proved” facts; for example, if ci corresponds to t = t' 
and 62 corresponds to t' = t”, then their union corresponds to all t = t',t' = 
t” , t = t” , .... The role of Restriction is to select a subset of interest of those pairs, 
for example t = t” . 

Despite the projectivity of sources of equations in E, notice that the derived 
equations may not have projective sources. In a standard equational terminology, 
that means that one can actually derive conditional equations as well. 



X— — 
tx 



X 

e,\ / 



6i, 62 

6 






P 



y \ 






ee E 
eJ 
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Definition 5. If E \- e and e has source X then e is called an X-derivation 
of E. Let T>x{E) denote the full subcategory of X f £ of X -derivations of E. 

Notice that T>x{E) can be a class in general because E can be a class. 
However, since C is £i-co-well-powered, T>x{E) still has colimits in X f £] its 
colimit object is denoted by ex)^ (b) : X ^ ^t>x (e), as usual (see Definition 2) . 

Proposition 3. T>x{E) is directed. 

Proof. This is because T>x{E) is closed under Union. 

Again, if T>x {E) is not a set then it can be replaced by some representative 
set that it includes. 

5.2 Soundness 

In this subsection we show that the rules above are correct with respect to 
satisfaction as injectivity. 

Theorem 1. Soundness. E \- e implies E \= e. 

Proof. It is easy to see that each of the rules above is sound. We only give 
the proof for union. Let Y be an object such that Y \= ei and Y |= C2, and 
let ft- : A — >■ y be any morphism. Since Y is {ei, e2}-injective, there are two 
morphisms gi and g2 such that ei; = 62; 32 = h: 




h 



Then by the pushout property, there is a 5 such that e;g = h, i.e., Y \= e. 



5.3 Closures under £J-Pushouts 

Closures under A-pushouts correspond to closures under substitutions in the 
usual equational setting. Formally, 

Definition 6. T> C X f £ is closed under A-pushouts if and only if for any 
e: P ^ • in E and any f : P — >■ A, it is the case that e^ : X ^ • is in V . 

With the notation in Definition 2, 
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Lemma 2. IfD C X I S is dosed under E-pushouts then Xx> ^ E. 

Proof. Like in Definition 2, let us consider that 7 ^ is the coprojection associated 
to each Cj G T> (composed with an appropriate isomorphism if T> is not a set), 
so that €j ; 7 ^ = e-ri ■ 




Let e : P — • be any equation in E and h: P ^ Xx> any morphism. By the 
projectivity of P, there is a g : P ^ X such that g; ex> = h. Since T> is closed 
under P-pushouts, there is an Cj G T> such that e® = e^ ; let g' be the morphisms 
that completes the pushout diagram, that is, g; e® = e;g'. It can be easily seen 
now that e; (g'; 7 ^ ) = h, that is, Xj) |= E. 

With the notation in Definition 5, 

Proposition 4. E ^ e iff ^ e. 

Proof. If if 1= e then one can replace T> in the lemma above by T>x (E) and thus 
obtain that Xj)x(e) 1 = e. 

Conversely, if Xx>{e) h then there is an e' such that e; e' = ce. Let A\= E 
and let h: X ^ A. Since A ^ T>x{E), for each ej G Vx{E) there is a fdj 
such that Cj; (3j = h. Then A together with the morphisms f3 form a cocone in 
C for T>x{E), so there is a unique g: Xei(e) ^ such that 7j;g = j3j for all 
Cj G T>x{E). It follows then that e; (e';g) = ex>x{Ef9 = = h, 

that is, A\= e. 

5.4 Completeness 

One cannot expect any deduction system to be complete for satisfaction as injec- 
tivity without some kind of finiteness. We find the following convenient enough: 

Definition 7. The equation e : X ^ • is finite provided that it is finitely 
presentable in the comma category X f £. 

According to Proposition 2, the intuition for the above is that e : A — • is 
finite if and only if the (many-pair) equation it represents is finitely generated. 

Theorem 2. Completeness, if |= e implies if h e whenever e is finite. 

Proof. Suppose that if |= e. Then by Proposition 4, X-Ex(e) H so there is an 
e' such that e; e' = ex>x(£;)- Since e is finite, there is an Cj in T>x{E) and an e' 
such that e; e' = Cj . But if h Cj , so by restriction, if h e. 
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6 Conclusion and Future Work 

A categorical deduction system was presented for a categorical abstraction of 
equational logics. This categorical abstraction together with generalizations of 
Birkhoff variety and quasi-variety results are known and considered folklore 
among category theorists; in this categorical framework, equational satisfaction 
can be equivalently replaced by injectivity. In this paper we showed that it is 
quite reasonable to have a categorical deduction system at that abstract level, 
and that that deduction system is in fact complete under appropriate finiteness 
requirements. 

The advantage of using category theory to represent deduction systems is 
multiple. First of all, we were pleased to discover that the deduction is complete 
even for conditional equations. That means that one can deduce a conditional 
equation directly, as opposed to the common approach that uses the theorem 
of constants to add the hypothesis of the equation as a new axiom and then to 
deduce the conclusion. We are not aware of any other proof of this in the litera- 
ture and we find it interesting that it comes for free in the categorical approach. 
Second, all equational frameworks with their complete deduction systems fall 
now under a common umbrella: any new results obtained at the abstract level, 
such as the derivation of conditional equations, can be pushed down to the level 
of each individual equational framework. Third, it is relatively straightforward 
to dualise the complete deduction system as well as all the results in the paper, 
and thus to get a complete deduction system for coequational logic. 

We only considered epimorphisms of projective source as axioms in E. That 
corresponds to unconditional equations in concrete equational contexts. We ad- 
mit that this can be viewed as a limitation at this stage, but we are confident that 
the results can be extended relatively easily to conditional axioms. We predict 
that in order to do this generalization, one would need to add to the framework 
at the beginning of section 5 the requirement that C has enough projectives. 

An interesting subject of research is to implement the four-rule deduction 
system presented in the paper. In this way, one would have an arrow-based, 
maybe graphical, equational reasoning engine. Perhaps the most important di- 
rection of further research is to dualise the results presented here and to obtain 
a complete deduction system for coequations. It is not clear for us at this stage 
what its significance would be and if there is any relationship with modal logics. 
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Abstract. A new tree automata framework, called equational tree au- 
tomata, is presented. In the newly introduced setting, congruence closures 
of recognizable tree languages are recognizable. Furthermore, we prove 
that in certain useful cases, recognizable tree languages are closed un- 
der union and intersection. To compare with early related work, e.g. [7], 
we discuss the relationship between linear bounded automata and equa- 
tional tree automata. As a consequence, we obtain some (un)decidability 
results. We further present a hierarchy of 4 classes of tree languages. 

Keywords: Tree automata, equational theory, decidability 



1 Introduction 

Over the past decade tree automata theory have been extensively studied and 
many applications were developed in various areas, e.g. for verification of crypto- 
graphic protocols [10,12], subtyping in programming language [9] and reduction 
strategies in term rewriting [6]. The devised techniques are based on “regular” 
tree automata, which are the counterpart of classical finite automata. The tree 
automata framework is very useful in the sense that many decision problems are 
known to be decidable and recognizable tree languages are closed under boolean 
operations. 

In contrast to the situations where regularity allows us to design terminating 
procedures easily, non-regular languages, such as term algebras modulo congru- 
ence, are considered to be troublesome in the framework. In fact, it is undecidable 
whether or not congruence closure of a regular tree language is regular [7]. Even, 
except for a few examples [1 1] , AC-congruence closure of a regular tree language 
is not regular in general [5]. For instance, consider the signature = { f, a,b}, 
where / is a binary function symbol, and a and b are constants. Let L be the 
set of (ground) terms t such that the number of occurrences of a in t is the 
same as the number of occurrences of b in t. The tree language L is not regular, 
because of Pumping Lemma [2], although L' defined below is regular and L is 
the AC-closure of L': f{a, b) G L' and /(a, /(s, b)) G L' for all s G L' . 

The aim of this paper is to introduce a new tree automata framework, called 
equational tree automata (ETA for short), in which congruence closures of recog- 
nizable languages are recognizable. Furthermore, we investigate the expressive 
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power of the new tree language theory by comparing with other well-known 
classes. In the sense, we are concerned in the paper with questions about equa- 
tional tree automata like in the following: 

• VL : TL. P{L) 3A/8 : ETA. C{A/8) = L, 

• VL : TL. Q(L) ^ 3A/8 : ETA. C{A/8) = L. 

In the above formulae, P and Q are predicates for tree languages (TL for short) . 
In particular, we spend the most of spaces to explain the relationship between the 
standard (finite bottom-up regular) tree automata and our equational extension. 
For instance, we discuss sufficient conditions for equational systems 8 and tree 
languages L that satisfy 

(Ql) 3A : TA. 8{C{A)) = L ^ 3B/8 : ETA. C{B/8) = L. 

The question asks us: under which condition it holds or does not hold that a tree 
language is recognizable with a TA A if and only if the L-congruence closure is 
recognizable with an ETA Bj8. Another instance to be considered is whether or 
not it holds that for any tree language L, 

(Q2) 3A : TA. C{A) = L ^ 3B/8 : ETA. C{B/8) = 8{L). 

The paper is organized as follows. The basics of tree automata and related 
theory are introduced in the next section. We show several positive answers 
to (Ql) and (Q2) in Section 3. We also present some decidability results by 
studying the relationship between linear bounded automata and equational tree 
automata. In Section 4, we show closure properties of union and intersection. 
We conclude in Section 5 by showing a hierarchy of 4 classes of tree languages. 
Open questions related to equational tree automata are also mentioned. 

2 Preliminaries 

A signature is a finite set T of function symbols together with natural numbers 
n for every f G P. Here n is called the arity of /, denoted by arity(/) = n. 
Function symbols of arity 0 are called constants. We assume the existence of 
countably infinite sets of variables V. The set P{P,V) of terms is inductively 
defined as follows: V C T{P,V) and /(fi,...,t„) G T(L', V) if the arity of / 
is n and U G T{P,V) for all 1 < i < n. The set T{P,0) of ground terms is 
denoted by T{P). Let □ be a fresh constant, named hole. The set T(L‘U{D}, V) 
of terms is denoted by C{P,V). Elements of C{P,V) are called contexts. The 
empty context is a hole. If (7 is a context with n holes and t\, . . . ,tn are terms, 
C\ti, . . . ,tn] denotes the term obtained from C by replacing the holes from left to 
right by ti, . . . , A substitution is a mapping a from V to T{P, V). We write tu 
for the result of applying cr to a term t, where cr is extended as /(ti, . . . , tn)c = 
/(tier, . . . , t„a). The set pos(t) of positions in a term t is defined by 

, , I jej if f is a variable, 

pos t = < ^ 

[ {e} U{z-p| and p G pos(L)} if t = /(ti , . . . ,tn)- 
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Here e is the empty sequence and p ■ q denotes concatenation of sequences p and 
q of positive integers. The position e in pos(t) is called the root of t and a symbol 
at e is denoted by root(t). A subterm of t at a position p is denoted by t|p and 
that is inductively defined as follows: 



t\p 



t if p = e, 

ti\q if t = f{ti, . . . , tn) and p = i ■ q with 1 ^ i ^ n. 



The set pos(t) is divided into two sets posv(t) = {p G pos(t) | t\p G V} and 
pos;r(t) = pos(t) \ posv(t). Intuitively, posv(t) is the set of variable positions in 
t and pos;r(t) is the set of function symbols. The length of a term t, denoted 
by |t|, is the number of elements in pos(t). The number of occurrences of a 
function symbol / in a term t is denoted by ||t||/. We write ||t|| for the number of 
elements in posjr(t). Note that ||t|| = Pll/- The set of variables appearing 

in t is denoted by var(t) and the set of function symbols in t is denoted by 
fun(t). Those multisets are denoted by var„iui(t) and fun„iui(t), respectively. The 
height of a term t, denoted by height(t), is defined by height(t) = 0 if t G V; 
height(t) = 1 + max{height(ti) | 1 < z < n} if t = /(ti, . . . , f„). 

An equation over the signature IF is a pair (s,t) of terms s,t G T{fF,V). 
The equation (s,t) is denoted by s « t. An equation / « r is called linear if 
neither I nor r contains multiple positions of the same variable. We say I ks r is 
variable-preserving if var„iui(?) = varmuK'c). A variable-preserving equation I « r 
is called length-preserving if ||/|| = ||r||. An equation / « r is called ground if 
l,r G T{fF), i.e. var(/) = var(r) = 0. An equational system (ES for short) £ 
is a set of equations. Given a set T' {Q T) of some binary function symbols. 
The set of associativity axioms f{f{x,y),z) « f{x,f{y,z)) for all f G if' is 
denoted by A(lF'), and the set of commutativity axioms f{x,y) « f{y,x) for 
all f G iF' is C{iF'). We write AC(.F') for the union of A(.F') and C{fF'). If 
unnecessary to be explicit, we simply write A, C and AC. An ES £ is called linear 
(variable-preserving, length-preserving, ground) if it consists of linear (variable- 
preserving, length-preserving, ground) equations. The binary relation s -Gs t is 
defined by letting s = C[la] and t = C[ra] for some equation I fa r G £, context 
C G C(T , V) and substitution a over V). In the paper, it is not guaranteed 
that r fa I G £ even if I fa r G £. The symmetric closure of -^s is denoted by 
and the equivalence relation of (i-e., the reflexive-transitive closure of H^) 
is denoted by 

A tree automaton (TA for short) A = {T, Q,Qf,TZ) consists of a signature 
if, a finite set Q of states (special constants with fF r\ Q = 0), a set 2/ (C Q) 
of final states and a finite set TZ of transition rules in one of the following forms: 



f{Pi, ■ ■ ■ ,Pn) -G q 



or 



f{pi,...,Pn) -G f{qi,...,qn) 

for some f G T and pi, ... ,p„, gi, g G Q. In the latter form the root 

symbols in the left- and right-hand sides must be the same. An equational tree 
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automaton Aj£ is the combination of a TA A and an ES £. We often denote A/S 
by the 5-tuple {T, Q, Qf,TZ,£) for convenience. An ETA AjE is called regular 
if TZ consists of transition rules in the shape of f{pi, ■ ■ ■ ,Pn) — >■ q- We say AjE 
is quasi-regular if for all I ^ r G TZ such that root{l) ^ fun(£l), r G Q. Here fun 
is extended to be fun(f) = ^ fun(r)). Every TA is transformed to 

a regular TA with the same expressive power. The details are described in the 
next section. We say A/E is a C-TA (commutative-tree automaton) if E = C. An 
ETA TZ/E with f = A is called an A-TA (associative-tree automaton). Likewise, 
if E = AC, it is called an AC-TA. We write s -^a/S f if there exist s', t' such that 
s s', s' = C[l], t t' and t' = C[r] for some transition rule I ^ r G TZ and 
context C G C(tFUQ). The relation -^a/E on T{T\jQ) is called move relation of 
A/ E. The transitive closure and reflexive-transitive closure of -Ga/e are denoted 
by and — For a TA A, we simply write — —>-(4 and —>-(4, instead. 

A term t G T{T) is accepted by AjE if t ~^a/£ q for some q G Qf. Elements of 
£{A/E) are ground terms accepted by A/E. A tree language L over T is some 
subset of T{fF). We say a tree language L is recognizable with an ETA if there 
exists A/E such that L = C{A/E). A tree language L is called regular if L = C{A) 
for some regular TA A. We write E{L) for {t G T{T) | t s for some s G L} 
and we say E{L) is .^-congruence closure of L. Note that E{E{L)) = E{L) for 
any tree language L, however, Ei{E2{L)) ^ (Ei U£2)(L). By definition, if a tree 
language L is recognizable with an f-TA, so is £{L). In the questions (Ql) and 
(Q2), one direction ‘=>’ is trivial, because £{£{A)) C £{A/£) in any case. 

Finally we spend the remaining space for explaining some concepts on tree 
grammars [4]. A tree grammar Q is the 4-tuple (T , Q, qQ,TZ), whose components 
are the signature IF, a finite set Q of state symbols with fixed arities, an initial 
state constant qg {g Q) and a finite set TZ of pairs {l,r) of terms l,r G T{T\J 
Q,V) such that var(r) C var(l) and fun(/) fl Q yf 0. We write ^ r for a pair 
(l,r) G TZ and we write -Gg for the induced binary relation. A tree language 
L is generatable if L = {t G T{T) \ qg t} for some tree grammar Q. For 
instance, we consider the tree language Li = {/"(g"(/i”(a))) | n ^ 0}. The 
tree language Li is generatable. Actually, it is represented by the tree grammar 
Gi = (-?^,{qo.qi.q2.q3}>qo>^i). where TZi : 

qg qi(a,a,a) q2(x, g(y), z) q2(x, y, 5(2;)) q^{a,z)^z 

qi(x,y,z) q^{f{x),g{y),h{z)) q2{x,a,z) qg(x,z) 

qi(x,y,z) q^ix, y,z) q^{f{x),z) qg(x,/(z)) 

3 Recognizability and Some Decidability Results 

We start this section by showing the previous tree language Li is not recognizable 
with an ETA. First we state the following property. 

Lemma 1. For every TA A there exists a regular TA B such that £{Af) = £{B). 

Proof. Suppose A = {IF, Q, Qf,TZ). We take B = {IF, Q, Qf, TZ') by letting TZ' = 
{/(pi, . . . ,pn) q \ f G T and pi, . . . ,p„,g G Q such that /(pi, . . . ,p„) -)>;4 
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q}. Then it is easy to prove that for all t € T{T), t — g € Q if and only if 

t q & Q- n 

We suppose to the contradiction that there is an ETA AjS = {T, Q, Q/, 'IZ.E) 
such that C{A!£) = Li. In this case £ is non-empty; otherwise, Li is recog- 
nized by a regular TA (Lemma 1 ). We take a term t = such 

that n > |Q| -I- |l| and n > |Q| -I- |r| for every I fa r G £. Since t is ac- 
cepted by Aj£^ there exists a derivation t q for some q G Qj. Sup- 

pose t — P S Q. In case 0 < m < |Q|, 
/"(g"(/i"“™(p))) s' if and only if /"(5"(/i”“"‘(p))) = s' (as there is no term 
t' ^ Li such that t t'). This admits a derivation t — /”(^”(/i”“'"i (pO)) ~^a 
/"(5f”(/i”“™^(p'))) q for some p' G Q and mi < m2 ^ |Q|- This implies 

/”(f/”(/i”“™i {a))))) is accepted for any t ^ 0 , but it contradicts 

to the assumption. Therefore L\ is not recognizable, and thus, every generatable 
tree language is not recognizable. One should notice that {/"(^"(a)) | n ^ 0 } 
is recognized by an ETA (but not by a TA) having an equation f{g{x)) « 

f{f{g{g{x))))- 

On the other hand, every recognizable tree language C{A!£) is generatable 
whenever £ is linear. Let A/£ = {T, Q, Qf,TZ,£). For all f € T, we take fresh 
state symbols q^ (for tree grammar) such that arity(qjr) = arity(/). Now 
we define the tree grammar Q = Q',qo,TZ' U TZ") as follows: Let (f) be the 
mapping defined by (j){t) = t if t G V or t G Q; <j){t) = qjr(</)(ti), . . . , </>(t„)) 
if t = /(ti,...,t„). Then Q' = Qu {qo,q*} U {q^ | / G . 7 ^}, = {(j){r) -)> 

(p{l) \ l ^ r e 7 ^}U{qy(a:l,...,a;„) -)> /(xi, . . . , a;„) | / G . 7 ^} U {q^ g | g G 
Qf} U {q* q/(q*, • ■ • ,q*) | / G . 7 ^} U {q* -)> g | g G Q} and TZ" consists of 

rules (l){l)ai — >■ (p{r)aia2 for alH « r G f U £~^ and substitutions cti, (T2. Here 
f-i = {s fa t \ t fa s G £}, ai = {x 1-^ q{xi , . . . ,x„)} for some g G Q' \ {qo,q*} 
and fresh variables x\,...,Xn if ? = x (g V); otherwise, ai = 0. Moreover, 
^2 = {2/1 q*, ■ • • ,2/fc q* I G var(r) \ var(/) for all 1 < z < k}. The tree 

grammar Q satisfies qp — t G T(A~) if and only if t q for some q G Qf. 

We now consider the initial questions (Ql) and (Q 2 ). First we observe that 
£{C{A)) ^ C{A!£). For instance, let £\ = {/(x,x) « g{x,x)} and A\ = 
({/,ff,a,^},{qi,q2}:{q2}. {« qi,^ -5^ qi./(qi,qi) -5^ q2})- k is trivial that 
C{Ai) = {/(a, a), /(a, 6 ), f{b,a),f{b,b)}, and then, £i{C{Ai)) = C{Ai) U 
{g(a, a), g{b,b)}- On the other hand, C{Ai/£\) = {/(s, t), g(s, t) | s,t G {a, 5 }}. 
Note that g(a, 6 ) 5 (qi,qi) /(qi,qi) q2> although g(a, 6 ) ^ 

£i{C{Ai)). 

Unfortunately, linearity of £ is insufficient to guarantee £{C{A)) = C{A!£). 
Consider A2 = ({/, a, 5 }, {q^, q2, qa}, {q2>, {« qi,^ q2./(qi>q2) 
./(%,%)> Z(q3>q2) q2l) and £2 = A({/}). Since only b is reduced to q2 
by A2, 73(^2) = { 6 }, and then £2(£(A2)) = {&}. Let t = f{f{a,b),b)- The 
subterm /(a, 6 ) can be reduced to /(qi,q2), then t /(/(q^, q2), q2) 

/(./(q3>q3).q2)- Due to associativity of /, /(/(qg, qg), q2) -£2 /(q3> /(q3. q2)). 
and thus, /(qg, /(qg, q2)) qa- Hence t is accepted by A2j£2- 

As a consequence, we obtain a partial solution to the initial questions. 
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Lemma 2. Every regular ETA Aj£ with £ linear satisfies £{L{A)) = L{AI£). 

Proof. Since £{C{A)) C C{A!£) is trivial, we show the reverse. It suffices to 
prove — • Hf: C Hf: • — Here — denotes the reflexive closure of — Let 
A/£ = {T,Q,Qf,'TZ,£) and suppose s — t Hs u such that s = C[l] and 
t = C[r] for some I ^ r G TZ, and moreover, t = C'[l'a] and u = C"[r'cr] 
for some I' ^ r' G £ U £~^. Since r is a state in Q, there are the two cases 
as follows: If I' « r' is applied above r, then r occurs below or at a variable 
position of Suppose a = {xi i-G- ti, . . . ,Xi i-G- D[r], . . . ,x„ tn \ Xi G var(/') U 
var(r') for all 1 ^ i < n}. Then we take a' = (cr\{a;i ^ Z?[r]})U{a;i !->■ D[l]}, and 
we obtain s = C'[l'a']. Since I' « r' is linear, we also obtain C'[l'a'] \As C'[r'a'\ 
and C'[r'a'\ u. Otherwise (i.e., if /' « r' is applied at a parallel position of 
r), s — t Hf: u obviously implies s Hs t' — u for some t'. □ 

In this case the emptiness problem (i.e., a question if £{A/£) = 0) is decid- 
able, because £(.4) = 0 if and only if £{£{A)) = 0. In case £ is also length- 
preserving, membership and flniteness problems are decidable. 

Along the same lines of the proof of Lemma 1, we obtain another statement. 

Lemma 3. Every ETA A/C has a TA B that satisfies C{A/C) = C(B). 

Proof. We use the similar construction of the proof of Lemma 1. Let A! = 
{iF,Q,Qf,TZ'), where W = {/(pi, . . . ,p„) q \ f G .£ and pi, . . . ,p„, q G 
Q such that /(pi, . . . ,p«) show C{A/C) = C{A' /C). By 

Lemma 2 we have C{A' /G) = G{C{A')). Moreover, every C-congruence closure 
of a regular tree language is recognizable with a regular TA (e.g. Exercise 12(3) 
in [2]). Hence there exists a TA B such that C(£(A')) = C{B). □ 

Accordingly, we have the positive partial solutions: if £ is a linear ES, 

VL : TL, 3A : regular TA. £{C{A)) = L 3B/£ : regular ETA. C{B/£) = L. 

As a special case, if £ = C, the regularity condition for A and B is unnecessary 
(Lemma 3). Moreover, we showed C-TA’s have the same expressive power as 
regular TA’s have. Another particular known case is £ ground. Dauchet and 
Tison [3] showed £{£{A)) is regular whenever £ is ground, so there exists a 
regular ETA B/£ such that C{B/£) = £{C{A)) (as there exists a regular TA B 
such that C{B) = £{C{B)) = C{B/£)). We can also prove C{B/£) is regular for 
any ETA B/£ with £ ground, because C in this case. 

In contrast to the situation in Lemma 2, A and B in the above formula are 
not necessarily the same. This leads us to a new question; that is, whether or 
not the regularity of A and B is really essential in the formula. We are concerned 
with this question in the following part. 

Ground term rewriting and regular tree automata are closely related each 
other. In fact, the “word problem” for ground theory is solvable, by reducing to 
TA’s intersection-emptiness problem which is decidable. The same result holds 
for ground C-theory. In contrast, it is known that word problem for ground A- 
theory is undecidable, which was proved by Post [13]. In term rewriting, Deruyver 
and Gilleron [5] showed reachability of ground A-term rewriting is undecidable. 
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In equational tree automata framework a similar phenomenon can be found. 
The problem is regularizability of transition rules of A-symbols in A-TA. One 
should notice that every A-TA can be transformed to a grtasz-regular A-TA. 

Lemma 4. Every A/A has a quasi-regular B / A that satisfies L{A/ A)=L{B / A) . 

Proof. Let A/A = {iF,Q,Qf,TZ,A). We take A' /A = {E, Q, Qf,TZ' ,A), where 

q \ f G E\fun{A) andpi,...,pn,q G Q such that 
f{pi, ■ ■ ■ ,Pn) q}- We take B/A = (E, Q, Qf,S, A) by letting S be the union 
of TV and {I ^ r & TZ \ root(?) G fun(A)}. Suppose t G T(QU A") such that 
t — some q G Q. Using the induction on the size of terms we show 
t — 9 below. If t is a constant c(^ Q), there exists a rule c —>■ q G 7Z, 
and thus c -j- q G TV . If t is a state then t = q. Otherwise, there exist a term 
t' G T{QyJ E) and a derivation t — ^ ^ . . . , t„], 

t' = C'[qi , . . . ,g„], C ~A C", U *li (S 2) andtj G T(QU(A'\fun(A))) for all 

1 ^ z ^ n. Here we assume ti, . . . ,tn maAmal subterms. Let TZi = {I ^ r G 
TZ I root(/) G fun(A)} and TI 2 = {I ^ r G Tl \ root(/) ^ fun(A)}. Since ti — 
is performed by TI 2 , we obtain ti — qi. This implies t t' — ^-^/a 9- Again 

we observe that there exist a term t" and a derivation t' — ^-^/a ~^*a/a ^ 

that t' = . . . ,C], t" = D'[pi, . . . ,p„], D ~A D', t' -)>a/a Pi 2) 

t'i G T(fun(A)) for all 1 ^ z ^ m. Here we assume t{, . . . ,t'm maximal. In this 
case t'i — >-g/A Pi (s^ctually t' — >-^^/a Pi)> thus, t' — >-g/A Since \t”\ < |t|, 

t" — >-g/A 'I by induction hypothesis. Moreover, from the fact that C -Ab, we 
obtain t ~^b/a ' t- 

The inverse is an easy consequence of the property that -Gb/a 'A ~^a/a- bl 

However, every quasi-regular A-TA is not always simplified to a regular A- 
TA with the same expressive power. In the remaining (but major) part of this 
section we explain the reason, by introducing linear bounded automata found in 
Hopcroft and Ullman [8]. A linear bounded automaton (LBA for short) M is the 
7-tuple (A, Q, Q/, qo, #, $,5). Each of the components denotes: 

— A: a finite set of tape symbols, 

— Q-. a finite set of state symbols such that A fl Q = 0, 

“ Q/( C Q): a set of final states, 

— qo(G Q): an initial state symbol, 

— #(^ A): left-endmark, 

— $(^ A): right-endmark, 

— iS: a finite set of string rewrite rules in the form of either aqb -A q' a U or 
qb -A b' q' for some a, a',5, &' G A and q,q' G Q. (Basic notions of string 
rewriting are explained, e.g. in [1].) As a special case of the former rule, it 
is allowed to be & = $ whenever b' — $. Similarly, in the latter case, 6 = # is 
allowed whenever b' — #. If there exists a rule aqb q' a b' for some a G A, 
we assume S contains cqb ^ q' cb' for all c G A. 
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LBA is a Turing machine whose tape length is finitely bounded. As we showed 
in the example in Section 2, Turing machine (or tree grammar) is too general to 
discuss the expressive power of ETA. In the following part we show equivalence 
of LBA and (a special case of) ETA, and so we use such a resource bounded 
Turing machine. 

A word ic is a finite (possibly empty) sequence of alphabets over S. The 
empty word is denoted by e and the set of all words over A is A*. A language 
is a subset of A*. A move relation on (A U Q U {#,$})* with respect to M, 
denoted by — >-m, is defined as follows: u -^m v if there exists a rule I ^ r £ S 
such that u = u\lu 2 and v = u\ru 2 - A word w is called accepted by M if 
qo#ic$ ~^*M uqv for some q £ Qf and u,v £ (A U {#,$})*. The set L{M) 
consists of words accepted by M. By definition, it is allowed to be e G £{M). 
We say a language L is recognizable with an LBA if there exists an LBA M such 
that L = £(M). 

It is known that emptiness problem is undecidable for LBA; that means, there 
is no algorithm deciding whether a language recognized by an arbitrary LBA is 
empty. This implies that for an arbitrary LBA M, if there exists an ETA A/A 
simulating M, we may not find a regular ETA B/A such that C{A/ A) = C{B/A). 
Otherwise, we can determine whether C{M) = 0 by examining C{B) = 0, 
because C{B/ A) = 0 if and only if C{B) = 0 due to Lemma 2. 

Thus, all we have to do in the remaining part is to show that for an arbitrary 
LBA M, there exists an associated ETA Am/ A such that C{M) = 0 if and only 
if C{Am/A) = 0. 

Given an LBA M = (A, Q, Qf,qQ,#A,S). Let us take Tm = T'U{qo,#, $}U 
{f} such that f is a fresh binary function symbol assumed to be associative. 
The set Qm of state symbols is the union of Qi = {aq,aq \ q £ Q} and 
Q 2 = { Pa \ a £ A U {#, $}} together with fresh state symbols, *qo, *#, o^, 02 , o 
such that Qm/ = {<>}• The set TZm consists of the following transition rules: 

1. qo — >■ *qo, 

2 . # — y 

3- f(*qo: *#) “^ /?#)) 

4. a ^ Pa for all a G A U {$}, 

5. f(«p, Pa) — >■ f(/3fc, C(q) if pa ^ bq £ S for some p,q £ Q and a,b & A, 

6. f(«p, Pa) — >■ f(oq, Pb) if cp a ^ qcb £ S for some p,q £ Q and a,b,c £ A, 

7. f{Pa,aq) f{ocq, Pa) for all o G A U {#, $} and q £ Q, 

8. f{aq,Pa) f{oi, (3a) and f(aq,P#) -£■ 02 for all q £ Qf and a G AU {$}, 

9. f{Pa,oi) oi and f{o 2 , Pa) 02 for all a £ A, 

10. f(/3#,oi) 02 

11. f(o2, P$) — >■ O. 

Henceforth, we write t = Cffti, . . . ,tnj if t = C[ti, . . . , t„] such that C is a non- 
empty and maximal context consisting of a function symbol /. If unnecessary / 
to be explicit, we simply write t = Clti , . . . , t„]. 
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The idea of the previous construction is described below. We take an ETA 
- 4 m /A = (TM,QM,QMf,T^M,A) with A = {f(f(x, y), z) « z))}. In the 

setting, a word w = ai a2 as . . . a„ is represented by a term C|ai, 02, as, , a„] 
and an initial instantaneous description for w, i.e. qo # oi 02 . . . a„ $, is repre- 
sented as C|qo, #, ai, 02, . . . , o„, $]. 

The first three rules 1-3 examine whether qo and # are located in the order of 
qo # at the initial stage. Using the transition rules 4 , each tape symbol together 
with right-endmark of a term is replaced by a corresponding state symbol in 
Qm- This step is not necessarily performed at once. 

In case M admits the move relation # p oi 02 ... o„ $ -^m # 61 q 02 ... a„ $, 
there exists the corresponding derivation 

C'|/3#,ap,/3ai,/3a2,/?a„,/3$] ~A f(f(- . . , f(«p , / 3 ai )) , /?a2 ) • ■ • , /?a„ ) , /?$) 

~^Am f (f ( ■ • ■ f (f ( A , f(/ 3 &i , «q )), /?a2 )•■•, / 3 a„ ),/?$) ■ 

If there is a rule &i q 02 — >■ r 61 62 G 5 and it is applied at the next step, then 
cy 3 #, , Oq, /3a2, ■ • ■ , / 3 a„ , / 3$1 f(f(- • • f(/?#, f(/ 3 bi , f(Oq, /?a2))) • ■ • , /?a„), ^$) 

~^Am f (f( • ■ • KP # . KPb^ , f(«r , / 3 &J ))..., / 3 a„ ), / 3 $) 

-A f(f( ... f(/ 3 # , f(f(/ 3 bi , Or) , /?&2 ))■•■> / 3 a„ ), / 3 $) 

~^Am f(f(- • •f(/ 3 #,f(f(ar,/ 3 &J,/ 3 &J) 



Lemma 5. If an LBA M admits a move relation 
qg # oi . . . a„ $ -A*m bobib2 ... foj-i pbi ... bn 6„+i, 

the associated ETA Am!^ simulates the computation sequence by resulting in 
the derivation 

1 / a ’ Pbi , ■ ■ ■ , Pbi — \ , , Phi , ■ ■ ■ , Pbn •> Pbn+l 1 ' 

Proof. Use induction on the length of M-move relation. □ 



Hence Am I A results in a term Clf)bo,Pbi,- ■ ■ , , «p, /?(,;, . . . ,/?&„, 
provided qo #oi ... o„ $ — 60^1 • • • ^i-i pbi ... bn 6„+i. In case p G Q/, a 
subterm f(ap, / 3 b J is replaced by f(oi, / 3 bJ using the rules 8. Moreover, the whole 
term is simplified to f(o2, / 3 $) by the rules 9 - 10 . Finally o is obtained by applying 
the rule 11. 

This obviously implies soundness of the construction, with respect to accept- 
ability. To be formalized, it is represented as follows. Let P = AUQU{#,$} 
and define the mapping 



(w) 



f(a, (u)) if w = au for some a € P and u G T+, 
w if w € r. 



Due to Lemma 5 together with the preceding observation, the soundness property 
is established. 
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Lemma 6. Every Am/^ associated with an LBA M = (i7, Q, Q/, qp, #, $, 5) 
satisfies (qgSiwS) — ^ ^ ^ C{M). □ 

Next we show the reverse also holds. Looking at the transition rules of M, we 
can observe that: if t o, there exists a derivation represented as follows. 

Let p G Qf. 

C'|qo,#,ai, . . . ,a„, $1 

“^^m/A C'|aqo,/3#,/3ai, • ■ • ,/3a„,/3$] ■ ■ ■ (1) 

~^Am/A ) f^bi j ■ • ■ ) Pbi-I ; Q!p, (ibi ) ■ • • ) fibn 1 fibn+l\ ' ' ' (2) 

~^Am/A <"(o2,/3$) 

-^Am/A O- 

More precisely, we have a derivation t — ^-^m/a ^ ^ 

f(o 2 , /?$). On the other hand, t has to contain the initial state symbol qo and the 
endmarks # and $ such that qg is located left-next to #. And, for any s, s' G 
T{Tm U Qm), it holds that if s -J>Am/a '5' ll'®ll* + W^h$ + INUo = + 

lls'll/?, + lls'llo and 

E,ee(PII. + PIU, + ll^lk) + + Plloi + Iloilo. + Ikllo 

= E,eQ(P'll. + ll^'IU, + ll^'lk) + P'IU.o + ll^'llo. + + ll^'llo- 

Moreover, ||t||# = ||t||qg by the transition rule 3. Then, 

t = 0|ci , . . . , Cj_i , qg, #, Cj , . . . , $) C.j^k+1 ) ■ • ■ ) Cm] 

or 

t = 0|ci , . . . , Cj_i , $, Cj , . . . , Cj-i-fc, qg, #, Cj-^.k+l ) • ■ ■ ; Cm] 

for some context C and Ci,... ,Cm G E. Since t o, we can assume 

without loss of generality that 



^ ~^Am/aC'[/3ci, • . 
or 


■ ■ 5 I^Cj-i 7 ^qQ 7 /^#7 Pcj 


7 • ■ • 7 Pcj + k 7 /^$7 Pcj + k + 1 ’ ■ ' 


■ • )/3c„,l ~^Am/a ^ 


^ ~^Am/aC'[/3ci, • ■ 


■ ■ 5 (^Cj-i 7 /^$5 Pcj 7 • ■ • 


7 Pcj + k 7 '^qo 7 /^#7 Pcj + k + 1 7 ■ ' 





Since t — i^(°2,/3$), the former derivation is the case, which can be proved 
by induction on the length of a derivation s f(o2,/3$)- Moreover, we 

obtain j = 1 and fc = n — 1 such that Cj = for all 1 ^ i ^ n. Before we apply 
a transition rule 8, there is no applicable rules other than rules 5-7. 

We let M be a term appearing in between (1) and (2), and we define the 
mapping str as follows. 

{ str(si) str(s 2 ) if s = f(si, S 2 ), 
q if s = Qfa for some q € Q, 

a if s = Pa for some a G 27 U {#, $}. 

Then we obtain the following property. 
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Lemma 7. Let v be a term in (2). Ifu — ^ str(u) G (L'U{#, $}UQ)*, 
then str(t6) — str(z;). 

Proof. We use induction on the length of u — trivial, 
because u = v. For the induction step we suppose u — assumption, 
u does not contain Oq for any q G Q. Let u ~^Am/a u' — there 
exists a transition rule f(aq,/3o) f(/?6,ar) G P-m and it is applied to u, then 

str(M') — #di ... di -2 b r di ... dn $ for some di, . . . , di_ 2 , b, di, . . . , d„ G U. So, 
str(M) = #di ... di_ 2 q o,di ... d„ $, and thus, str(t6) -Am str{u'). Otherwise, 
there is a rule f(aq,/3a) f(ar,Pb) G and it is applied to u. In this case 
there is also a (and only) transition rule f(/3c,Or) — ^ f{c(r,Pc) which is applicable 
to u'. So, u' — >-Am/a w" such that str(u") = #d\ ... di -2 crbdi+i ... d„ $ for 
some di, . . . , di- 2 , c, b, d^+i, . . . , d„ G if. This implies str(M) = # di ... d ^_2 ca q 
di+i ... d„ $ and str(rt) -Am str{u"). □ 

As a consequence, completeness (with respect to acceptability) is established. 

Lemma 8. Every Am/^ associated with an LBA M = (A, Q, Qy, qp, #, $, 5) 
satisfies: for all t G T{Tm), if t ~^Am/a ^ Ihen t ~a (qo#'*i'$) w G L{M). 

□ 

We know £{M) is empty if and only if £{Am/A) is empty. Moreover, the 
former property (£(M) = 0) is known to be undecidable, and so is the latter. 

Corollary 1. For an arbitrary A- 714 it is undecidable whether a tree language 
recognized by the A-TA is empty. □ 

Hence A-TA is not always regularized, although it can be quasi-regularized. 

Theorem 1. There exists an ETA A/ A such that £{A/ A) A(£(,B)) for any 

TA B. □ 

In fact, the language P = {ic G {a}* | |w| = 2” and n ^ 0} is recognizable 
with LBA, and thus, the tree language T = {t\t ~a (qo#t«$) and ic G IF} is 
recognizable with an A-TA. However, T is not recognizable with a regular A-TA, 
and then {(qo#ix;$) | w G Pj is not recognizable with a regular TA. In other 
words, even if there exists a tree language L such that A{L) = £{A/A), L is not 
recognizable with a TA in general. 

Undecidability of finiteness is also obtained, because finiteness problem of 
LBA is undecidable. Note that {(qo#rc$) | w G £(M)| is finite if and only if 
>C(Am/A) is finite. 

Corollary 2. For an arbitrary A-TA it is undecidable whether a tree language 
recognized by the A-TA is finite. □ 

Furthermore, a question if £{M) = S* is known to be undecidable for an 
arbitrary LBA M. This yields the following undecidability results. 




550 



Hitoshi Ohsaki 



Corollary 3. Let A/ A. and B/A he ETA. It is undecidahle to test the subset 
relation L{A/A) C C[B/A). Equivalence test L{A/A) = C{B/A) is also unde- 
cidable. 

Proof. Let M\ be an arbitrary LBA and M 2 be an LBA such that £(M 2 ) = E*, 
e.g M2 = (A, {qg},{qp},qo,#, $,0). Then we take A = Am2 and B = Ami 
together with A = {f{f{x,y), z) « f(a;, f(y, z)) }. As we can see, C{A/A) C 
C{B/A) (and C{A/A) = C{B/A)) if and only if A* = £(Mi). □ 

4 Closure Properties 

As we discussed in the previous section, equational tree automata are sometimes 
too powerful. Nevertheless, the recognizable tree languages are still useful in a 
certain situation, as they are closed under two operations: union and intersection. 
In this section we discuss the closure properties of f-tree languages. 

Theorem 2. If £ is a variable-preserving ES, the union of tree languages Li,l 2 
recognized by ETA’s Aj£ and Bj£ is recognizable with an ETA CfE. 

Proof Let A/E = {Qa,E, QAf,'R-A,£) and BfE = {QB,E,QBf,TlB,E). We 
assume without loss of generality that Qa H Qb = 0. We take the TA C = 
(Q,A, Qf,TZ,£) as follows. Q= Q^UQb, Qf = Qa/'JQb/ andU = TZaATZb. 
Below we show the two properties: (1) s — p G Qa if and only if s ~^a/S P 
and (2) s q G Qb if and only if s — q. Since the “if” parts of both 

properties are trivial, it suffices to show the “only if” . We observe that if t ~^c/E £ 
and fun(t) fl Qa ^ 0 then fun(f') fl Qa ^ 0, because of £ variable-preserving. 
Moreover, if t ~^a/£ £ then fun(t') fl Qa ^ 0. The same property holds also for 
Qb and -^Bje- This implies that if t — q ^ Qb then t ~^*a/£ q- Hence the 
property (1) holds. Similarly, the property (2) can be proved. □ 

Let P be a set of ill-formed tape statuses. For instance, P contains #w$ 
(missing a state symbol in a tape) and # p # re $ (extra right-endmark) . The set 
{{p) \ p G P} is regular, and then I = {t \ t ~a (p) and p £ P} is recognizable 
with a (regular) A-TA. We take the union of the tree languages I and C{Am/A), 
which is recognizable with an A-TA due to the above theorem. Since universality 
problem of LBA, i.e. a question if {qQ#rt;$ | w G A*} = C{M), is undecidable, 
so is to test I U L{Am/A) = T{ZFm)- 

Corollary 4. For an arbitrary ETA A/ A over the signature T it is undecidahle 
whether C{A/ A) = T{T). □ 

Next we discuss the intersection. Regular tree languages are closed under 
intersection [2]. Tree languages recognizable with C-TA are also closed under 
intersection (Corollary 3). The remaining questions to be considered as useful 
cases are closedness of A- and AC-TA’s. 

Theorem 3. If £ = A or £ = AC, the intersection of tree languages Li,l 2 
recognized by ETA’s Aj£ and BjE is recognizable with an ETA CfE. 
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Proof. We show the proof sketch for the A-case. Note that the same proof 
construction can be applied to the AC-case. Let G (C be the set of bi- 
nary symbols of A-axioms and let A/A = (A", Q_ 4 y , 7?.^, A) and B/A = 

, Qbi Qb/ iT^Bi A) such that Q_a H Qb = 0. Due to Corollary 4, we as- 
sume without loss of generality that A/ A and B/A are quasi-regular. Define 
the ETA C/A = {T, Q, Qf, TZ, A) as follows. Q = {Qa x Qb) U Qa U Qb and 
2/ = Qaj X Qb/- The set TZ of transition rules are the union of the 4 sets TZx, 
TZa, TZ-b and TZg defined below. 

: /((pi,(7i),...,(p„,g„)) (p,q) 'if &T\g 

V/(pi, ■ ■ ■ ,Vn) -^p&TZa 
V/(9i, • ■ • , <7n) — >■ 9 G T^b 

T^a- 9{{pi,qi),{P‘2,q2)) ^ 9{{p,qi),q2) ig&G 

9{pi, {P 2 , 92 )) {p, 92 ) Vgi, 92 G Qb 

ig{pi,P2) -^p&tZa 

and 

9{{Pi,qi),{P2,92)) -1 g((ri,9i),(r2,92)) 'ig{pi,P 2 ) g{ri,r 2 ) G TZa 
9{pi,{P2,92)) -1 g(ri,(r2,92)) 

T^b- 9{{pi,qi),{P2,92)) ^ g{{pi,q),P 2 ) '^gGG 

g{qi,{p2,q2)) ^ {p2,q) '^pi,P2gQa 

V9(9i,92) -1 9 G 7^B 

and 

g{{pi,qi), (^ 2 , 92 )) -1 g{{pi,ri), (^ 2 ,^ 2 )) '^ 9 ( 91 , 92 ) -G g{ri,r 2 ) G TZb 

9 ( 91 , {P 2 , 92 )) -G g{ri,{p 2 ,r 2 )) 

TZg-. g{{p,qi),92) ^ g{qi,{Pi92)) igGG 

g{{pi,q),P 2 ) ^ g{pi,{p 2 ,q)) 'ipi,P 2 ,pG Qa 

9{q,p)^{p,q) V9i,92,9GQb 

The ETA C/A satisfies that for any term t G T{T), t — (P’9) G Qf if and 
only if t G and t 9 G Qb/- □ 

This theorem holds also for £1-TA whose ES S consists of equations in the 
shape of f{x,f{y,z)) « f(y, f(a;, -^))- Kaji et al. [10] pointed out that in order 
to express some key-exchange protocols using term rewriting, those axioms are 
required. 

5 Concluding Remarks 

In the paper we introduced equational tree automata together with the undecid- 
ability results. We also showed the closure properties of union and intersection 
for equational tree automata. The newly introduced tree automata framework is 
almost optimal from the beneficial reason and it obtains our goal: to propose a 
class of tree languages in which congruence closures of recognized languages are 
recognizable. Furthermore, we presented the relationship between the standard 
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TM 




Fig. 1. Hierarchy of tree languages 



TA and our equational extension. Fig. 1 illustrates the result on a hierarchy of 
4 classes of tree languages (in case S is linear). In the above figure the small- 
est area TA denotes the class of tree languages recognizable with a regular TA. 
The second smallest area S (TA) is ^-congruence closure of TA, and S-TA is the 
class of ETA. The largest area TM denotes the set of generatable tree languages. 
These inclusion relations are strict each other. It is unclear so far whether the 
strict inclusion holds between TM and S-TA also for S non-linear. 

In order to discuss (minimal) equational extension of tree automata it would 
be important to consider whether the following question is positive: 

— Iff = A (orf = AC), 

VM,S : regular TA, 3C : regular TA. S{C{A)) n S{C{B)) = S{C{C))7 
There are two more interesting questions about equational tree automata. 

— Regularizability of AC-TA; 

VM/AC : ETA, 3.B/AC : regular ETA. £{A/AC) = C{B/AG)1 

— Closure under complement of A- and AC-TA; if f = A (or £ = AC), 

VM/f : ETA, 3B/£ : ETA. C{A/£) = C{BI£)1 

We observe that equational tree automata are closely related to context-sensitive 
grammar (Section 9.3, [8]), so it is conjectured that the second question is pos- 
itively solved. 
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Abstract. We present a new method to specify a certain class of quo- 
tient in intentional type theory, and in the calculus of inductive con- 
structions in particular. We define the notion of “normalized types”. 
The main idea is to associate a normalization function to a type, instead 
of the usual relation. This function allows to compute on a particular el- 
ement for each equivalence class, avoiding the difficult task of computing 
on equivalence classes themselves. We restrict ourselves to quotients that 
allow the construction of such a function, i.e. quotient having a canon- 
ical member for each equivalence class. This method is described as an 
extension of the calculus of constructions allowing normalized types. We 
prove that this calculus has the properties of strong normalization, sub- 
ject reduction, decidability of typing. In order to show the example of 
the dehnition of Z by a normalized type, we finally present a pseudo Coq 
session. 



1 Introduction 

1.1 The Calculus of Inductive Constructions 

Type theory is a fruitful formalism for automated proof systems like Coq, Lego, 
Agda/alfa etc. The expressive power of this framework is comparable to set 
theory. However it appeared that the definition of complex structures is easier 
and computationally more powerful if the type theory is enriched with some 
constructions. In particular the calculus of inductive constructions {CIC) [14] 
is an extension of the calculus of construction [6] where it is possible to define 
new types by giving the list of its typed constructors, in a sort of ML-style. For 
example: 

Inductive Nat := 0:Nat — S:Nat — >■ Nat. 

Inductive AList := nil: (A:Set) (AList A) 

— cons:(A:Set) A — >■ (AList A) ^ (AList A). 

Inductive BListn := nil: (BListn 0) 

— cons: (n:Nat) Bool — >■ (BListn n) — >■ (BListn (S n)). 
By definition the terms of an inductive type T is the least set of terms recur- 
sively built from its constructors. This is stated by the induction schemes, also 
called elimination principles, like for example the one on natural: VP {(P 0) A 
(Vx(P x) (P {S a;)))} ^ Vx(P x). It is possible to define functions on an 
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inductive type by pattern matching in ML-style, that can be evaluated in the 
usual way. For example: 

parity = Xx:Nat. Case x of 0 ^ true — (S n) ^ (not (parity n)) end 
In the calculus of inductive constructions, these notions are stated by typed 
terms, in the Curry-Howard spirit. The elimination principle above is for example 
expressed by the term: 

NaLrec:(P:Nat-^Set)(P 0)^((m:Nat)(P m)^(P (S m)))^(m:Nat)(P m) 
where an expression of the form (x:A)T (also written Ux : A.T) is the notation 
for the dependent product, abbreviated m A ^ T when T does not depend on x. 

Using Natjrec, we can define (possibly recursive) functions on Nat by pattern 
matching on constructors. We can also make proofs by cases or by induction on 
Nat. We can deduce from Natjrec a non dependent principle, easier to use when 
the type P is not dependent: 

Nat.rec’: (P:Set) P^ (Nat-^P^P)^Nat-^P 
The function parity is written in the CXC using Natjrec’: 

parity = (NaCrec’ bool true ( [y:nat] [b:bool] (not b))) 
where [x:A]t stands for Xx : A.t. In order to evaluate such functions in the CIC, 
new rewriting rules are added for the recursors: 

(Natjrec’ T tf) ti 0) h 

(Natjrec’ T t^ t\ (S x)) — (t\ x (Natjrec’ T to t\ x)) 
where to and t\ are two terms of type T and nat-^T^T respectively. Notice 
how structural recursion is simulated and how the head constructor of the last 
argument {0 or S) is used to choose which branch of the recursor must be used. 

In the version of the CIC that we consider, this new reduction, called t- 
reduction is part of the internal reduction of the system, as for (d (evaluation of 
applications). We do not consider 77 (evaluation of dummy abstractions) in our 
work. More precisely, the internal reduction — >cxc which defines the evaluation 
mechanism on terms, is: 

>CXC = u >/3 

From the theorem prover perspective, it is very important that the evaluation 
mechanism terminates. So in CIC restrictions on the definition of functions are 
made to allow only terminating functions to be defined (see appendix B, and 
[14]). This evaluation mechanism is closely related to the internal notion of 
equality of CIC, as we explain in the next section. 

1.2 The Notion of Equality 

The notion of equality in type theory is a delicate problem. The undecidability 
in general of the usual notion of equality in mathematics makes impossible any 
implementation of a general decision procedure. However, a lot of work has been 
done to find weaker decidable equivalence relations between terms of the type 
theory, in order to: 

— Make decision procedures to minimize the number of proofs of equality to 
be made by hand. 

— Make typing decidable in presence of a conversion rule of the form (needed 
in a dependently typed framework): 
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rhi:Ti Ti = T2 
Conv : ; — 

rht:T2 

where = is an equivalence relation between terms, -T is a typing environment, 
and t, Ti and T 2 are terms. We see here that in order to keep a decidable 
typing procedure, = must remain decidable. 

A decidable typing is not an absolute requirement, systems like PVS do not 
have a decidable typing. However, there are evident practical advantages in de- 
cidability of typing and internal equality and we will consider it necessary in our 
paper according to the point of view that prevailed in the conception of Coq. 

Since the classical (undecidable) notion of equality is still necessary, the C2C, 
as other systems of type theory, uses several notions of equality. In CIC we 
first have a notion of internal equality, also called definitional equality^. This 
equality is a congruence on terms (and types because we are in a type dependent 
framework) and is the equality used in the conversion rule of the type system. 
More precisely, the internal equality =cxc of CIC is the reflexive, symmetric and 
transitive closure of — >cic- 

We have a second notion of equality, called propositional equality (=cic) also 
called Leibniz equality. It is defined in the calculus and can be used and extended 
by the user. It will not be considered in the typing rules and is not necessarily 

P 

decidable. It is defined such that =cxc Q =cxc, thus we will call user equality, 
noted =ciC) the minimal relation such that: =cxc = =cicU =cxc that is the 

P 

part of =cxc that is not in =cxc- 

Notice here that nothing prevents the user from generating an inconsistency, 
for example by defining P such that P{True, False). We see in the next section 
that the fact that the propositional equality is not restricted to =cxc creates 
more subtle problems. 

P . 

To sum up this section, we can say that =cxc is the mathematical equality 

P 

and =cxc is the sub-relation of =cic that is considered (and decided) during 
typing. Of course extending =cxc is interesting as more terms will be identified 
internally. 

1.3 The Problem of Non- free Structures 

As we saw in section 1.1 the t rule only checks the head constructor of the 
argument of a function to decide which reduction rule to apply. This mechanism 
works well when the structures defined by inductive types are free, which means 
that two terms starting with two different constructors cannot be equal (even 
for =cic)- But it fails in presence of equations between head constructor terms^ 

^ In fact, Martin-Lof in its type theory gives four notions of equality: intentional 
(definitional) equality, judgment equality, type equality, and propositional equality. 
In the CIC these categories are not exactly relevant as intentional equality is much 
more powerful than in Martin-lof’s theory, and judgment and type equalities are 
somehow replaced by internal or propositional equality. 

^ Terms whose head symbol is a constructor. 
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(in =cic)- Indeed, in this case, two equal terms (by =cic)ti and t 2 , starting by 
two different constructors, can generate an incoherence by — >cxc- Suppose for 
example that we want to define the natural numbers modulo 2, we can naively 
state the axiom Eq0mod2: 0 ^cic (S' (S 0)) but then consistency of the system 
is compromised, as shown by the simple function /^: 

/ = Xx:Nat. Case x of 0 True 

— (S n) ^ False end 

generating two equalities (f 0) =cic True and (f 0) ^cic(f (S S 0)) =cic False 

P 

leading trivially to True =cxc False. 

For this reason, inductive types allow only to specify free structures. This 
means that it is not possible to define quotients on inductive types in a simple 
way in systems like Coq. 

However, mathematical structures like integers (Z), integers modulo (Z/nZ), 
rationals (Q), or Sets are intrinsically quotients, that we want to define from an 
underlying type and an equivalence on this type. 

Our contribution, the normalized types is a method to specify structures 

where = is safely extended by the user, allowing to define a certain class of 
quotient. It has been inspired by two existing methods, the quotient types [9], [11], 
[5] , and the congruence types [2] , that we both briefly present in the following. 

1.4 Related Work 

The definition of non free structures in intentional type theory has been studied 
by Backhouse, Hofmann, Barthes, Geuvers, Jacobs and recently by S. Boutin. 
Roughly two methods were proposed: quotient types and congruence types, both 
inspired by previous works on extensional type theory. 

Quotient types as presented in [5] are an axiomatization of quotients from the 
set theory, that has been implemented in the Coq system. A quotient type T / R 
is built from a type T (that we shall call the underlying type), and a relation 
R on this type. For all a; : T we define the term {In x) : T/R. A set of axioms 
defines the properties of T /R according with the classical notion of quotient, for 
example: \/x, y : T.{R xy) ^ {In x) =user {In y) that defines the equality among 
the elements of the quotient. This axiomatization, by taking a set theoretical 
approach, is very general, but because of its axiomatic nature, does not catch 
the computational aspect of quotients (In particular because of the use of =user 
above instead of =cxc)- 

Martin Hofmann, in [10] and [9] already defines quotients this way. By ex- 
tending the Martin-L6f type theory with quotient types and by giving an inter- 
pretation of it in the pure Calculus of Constructions, he gives good properties 
to quotient types. Our present work follows a similar method. 

A common aspect of these works is that the elimination principles for quotient 
is split in two principles. The first is weak and allows to define functions on the 

® Notice that strictly speaking we use here a strong version of Nat_rec’. 
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quotient from functions on the underlying type. This lifting operation is allowed 
when the function is compatible with the relation of the quotient, according to 
the classical set theory mechanism. The second is strong and allows to make 
inductions on quotient types, again by lifting proofs made on the underlying 
type. There is no compatibility condition for this principle. But it is clear that 
in some cases it is possible to define better induction schemes. 

Congruence types are a generalization of inductive types which could be called 
“inductive types with relation” ([13] [5]), or “inductive types with rewriting” [2]. 
This last point of view is the closest of our approach. It consists in the association 
of an inductive type T and a canonical (i.e. confluent and terminating) term 
rewriting system(TRS) p, which will be added to the internal reduction and 
equality of the system. This defines a new type T. Despite not being an inductive 
type, T has a good computational behavior, because we can use p to link any 
closed term of T to a unique term in T : its normal form by p. This method allows 
a satisfying representation of quotients when the relation R can be oriented in 
a canonical TRS. In particular better induction schemes can be proved by hand 
using a notion of fundamental constructor. However, adding rewriting systems 
to internal reduction dynamically leads to the difficult problems of termination 
criteria and interaction between rewriting systems [3] . 

1.5 Plan 

We give a general description of normalized types in the next section. Then we 
define formally our extension of the calculus of constructions in section 2. We 
prove properties of this system in section 3. Finally we conclude with some con- 
siderations on our system and with some ideas of further work in 4. In appendix 
A the example of the definition of Z in a pseudo Coq session is developed. We give 
in the appendix B a short definition of the calculus of construction as defined in 
[14]. 

2 The Calculus of Inductive Constructions 
with Normalized Types 

Let A be a type and nf a function from A to A, we define a new type Norm(A, nf) 
called “type A normalized by n/”. Its elements are, and are only, of the form: 
Class(A, nf , t), where t is a term of type A. This will expressed by the elimination 
principle. The main idea of this work is to make Class(A, nf , t) and Class(A, nf, u) 
equivalent for internal equality (convertible) if {nf t) and {nf u) are equivalent. 
Reduction is defined to avoid the coherency problems cited in section 1.3. 

Our system is a variant of quotient types in the spirit of congruence types of 
Barthe and Geuvers. We take advantages of both methods: 

— We use the idea of the association of a type with a computational object. 
Barthe uses a TRS, we will use a normalization function nf, i.e. a term of the 
original system, avoiding the problem of mixing reductions cited previously. 
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— We will define a new calculus extending the calculus of inductive construc- 
tions. We use an interpretation from our calculus into CXC to define our 

notion of internal equality. 

By a slight addition to the reduction rules we can add the normalized types to 
the Calculus of Inductive Constructions. The modification mainly consists in the 
enrichment of the conversion and reduction rules in order to make Class(A, nf, t) 
and C\siSs{A, nf , u) convertible provided that t and u have the same canonical 
form. The subject of the end of this paper is the formal definition and the study 
of the main properties of this extension. 

We use a method similar to [1] but in the context of inductive types, we first 
extend the syntax, typing and reduction rules of CIC and then we prove the 
properties of the new calculus using a translation from to CIC 

that has some strong properties. 

2.1 Syntax 

The syntax of is based on the notations of B. Werner’s thesis [14] where 

a precise description of the CIC can be found (a short one can be found in 
appendix B. 

We take here the following hierarchy of sorts: Set:Type: Extern. 

Variables: V ::= x,y, z . . . 

Sorts: S Set | Type | Extern 

Terms (all terms of CIC belong also to 

T :■=¥ \ S \ [V :T]T \ {V : T)T \ TT 

I lnd(V : T){T) \ Constr(n,T) n G IN | Elim(T, T, T, T){T} 

I Norm(T,T) | Class(r,r,T) | Elimnorm(T, T, T, T) 

T denotes a sequence of terms. Ind, Constr and Elim are the usual construc- 
tions for inductive types. Norm, Class and Elimnorm are respectively the type 
constructor, term constructor and destructor for normalized types. 

We will use the usual notation A ^ B in place of (x : A)B when B does 
not depend on x. To increase readability, we will often use Coq-like notations for 
pattern matching expressions: 

Cases t of <patternl> ui \ <pattern2> ^ U 2 ... end. 
in place of the corresponding Elim(ti, ^ 2 , ^ 3 , f) {ui}, hiding arguments ti, t 2 and 
fa that can be deduced from context. 

We will as usual note t[x u] the term t where all free occurrences of x 
have been replaced by u. The notion of free variable extends well to our new 
constructions, and all usual properties of substitutions are preserved. 

Finally, we define typing environments as sets of pairs of the form (x : T). 
As usual [] will denote the empty environment, and B :: x : T the environment 
T U {(x : T)}. We will omit parenthesis when it is not ambiguous. 
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2.2 Computation 

Definition 1. Let — >nf he the following rewriting rule: 

Elimnorm{A,nf,f,Class{A,nf,t)) — ;>„/ (/ (n/ t)) 
the reduction — o/CIC"^ is the congruent closure of — >■„/ U — U — 

Remark 1 . Let t\ and t2 be two terms of CXC such that t\ — t2 in CXC, then 
we have also ti — ^2 in CXC^^ . — >ciC"i reduction preserves typing. 

2.3 Conversion and Internal Equality 

Conversion is defined using a combination of an interpretation tp of terms of 
CIC"^ into other terms of CXC^^ , and a new reduction — applied to the 
interpreted terms. This unusual definition is necessary since we want two terms 
to be convertible when there canonical forms (calculated by the interpretation) 
are equivalent for a certain relation (the new notion of reduction) . 

Since p is not necessarily idempotent, it is impossible to define the conversion 
as the closure of a reduction. We see here that deciding equality (=„/+cic) and 
computing ( — >cxc”f) are not anymore the same issues, but the two notions have 
to be compatible, as it is stated in property 1 . 

Definition 2. We define p on terms and environments recursively as follows: 

— p{Class{A,nf,t)) = Class{p{A),p{nf),{p{nf) p(t))), 

— C[t] = C[p{t)] where C is a context different than Class(L). 

~ p{[]) = [] and p{r :: X : T) = p{X) :: x : p{T) 

Definition 3. We define — >nf'> =i,/3+n/'> =cic"/ /o^^ows.' 

— Elimnorm{A, nf, /, Class{A, nf , t)) — (/ t) 

— =t/3+„/' is the congruent closure of — — yp and — >nf- 

— t\ and t2 are convertible (ti=cxc^i'l-2) iff vili) =Lj3+nf 

Property 1 . If t — >cic^> ^ then t rt. 

2.4 Typing 

The typing system contains the rules of CXC (given in appendix B), except the 
conversion rule, plus the following rules: 

r \- A : Set r \- nf : A ^ A P \- t : A P \- Norm(T, nf) : Set 

P h Norm (A, nf) : Set P h Class(yl, nf, t) : Norm(T, nf) 

P t : Ti P Ti,T2 : s Ti Ts 
■ r h t : T2 

P\-P:Sort r h t : Norm(4,n/) 

P\- H :A^ P 



ElimNnodep : 



P h Elimnorm(T, nf, H,t) : P 
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r P : Norm (A, nf) — >■ Sort P \- t : Norm (A, nf) 

. P ^ H {s A){P C\ass{A,nf,s)) 

P \- E\\mnorm{A, nf , H,t) '■ {P {IdNorm{A, nf ,t))) 
with IdNorm{A,nf ,t) =def Elimnorm(A,n/,([x:A] Class(A,n/,x)),t) 

In the rule ElimN we use the term IdNorm, which maps Class(. ..,x) to 
Class(. . . , (nf x)). It is a consequence of the implicit normalization done with 
the reduction — >nf (and i^) defined previously. It is necessary to ensure that 
the reduction — >•„/ preserves typing. We see here that E\\mnorm(A, nf ,H,t) is 
not the proof that P is verified by t but by the canonical form of t. 

Now it is easy to replace the property (nf s =cic s) by any equivalent induc- 
tive predicate to have a powerful principle to define function or make inductive 
proofs on normalized types. See appendix A for an example. 



3 Properties of CIC^^ 

Important results about this system are: 

1. subject reduction, which proof is classical, similar to what can be found in [14] 
or [8]. 

2. strong normalization — on well typed terms, that is proved in the 
following sections as a consequence of the analog property of CXC. 

3. decidability of typing, that is a consequence of the decidability of 
that is a consequence of 4 and 5 

4. strong normalization of — on well typed terms, which proof is com- 
pletely similar to 2. 

5. confluence ( Church-Rosser) of — proved using a classical the notion 
of parallel reduction. 

3.1 A Translation from CXC"-^ to CIC 

To prove strong normalization of our reduction — >L/ 3 +nf we use the translation 
0 from CXC"^ to CIC, such that if t — tcxc'f then (t) — >cxc {t')- Thus, 

since () preserves also typing, SAf(ClC^^) is a consequence of SN(CIC), which 
is well known. 

Definition 4. () is defined by induction as follows: 

(Norm(A, nf)) = (Indnorm (A) (nf)) 

{Class(A, nf ,t)) = (indclass (A) (nf) {(nf t))) 

{Elimnorm(A,nf,f,t)) = ((/) (rep (A) (nf) (t))) 

ic[t]) = cm 

For any other construction C 
We extend trivially () to environments: 

(D) = D 



(P-.-.X-. T) 



(P) :: X : (T) 
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Notice the interpretation of the new terms of into an inductive type 

{Indnorm defined below) of CIC. Terms of the form Class(...) are normalized 
by 0 via nf. The type and terms of ClCused in the translation are defined as 
follows: 

— Indnorm is a parameterized inductive type, it corresponds to the type Norm: 
Indnorm := [A:Set] [nf:A A] Ind (X:Set) {A ^ X} 

— the unique constructor of Indnorm corresponds to the construction Class: 
inddass:= [A:Set] [nf:A — >• A] Constr(l, (Indnorm A nf)) 

— the destructor rep of Indnorm corresponds to Elimnorm: 
rep:=[A:Set][nf:A^A][t:(Indnorm A nf)] 

Cases t of (indclass A nf x)^x end. 

The type of rep is the following: (A:Set) (nf:A A) (Indnorm A nf) — >■ A. 

3.2 Properties of the Translation () 

In this section we prove properties of () that will allow us to state in the follow- 
ing section the strong normalization, subject reduction and confluence modulo 
conversion of CIC^^ . This is the technical part. The two main properties of () 
are that it preserves the typing relation and reduction. 

We will note t = t' when t is equal to t' by definition of (). 

In order to prove strong normalization of from strong normalization 

of CIC, 0 needs to preserve the typing relation. Before proving this property we 
state a small lemma: 

Lemma 1. For all terms X, Y and T, and for all environment F, if F \~cic 
{Indnorm X Y) : T or F \~cic T : {Indnorm X Y), then F \~cic ^ • 5et and 
F^cicY -X^ X. 

Proof. This is deduced from the typing rules and the type of Indnorm which 
is (A:Set) (nf:A A) Set. 

Lemma 2. If F \~cxc^f u : T then (F) \~cxc (u) ■ (T). 

Proof. By induction on the proof that F \~cxc^f u : T. All cases from CIC are 
immediate since the typing rules of CIC are also typing rules of CIC^^ . Finally 
the only difficulty is the case of the rule ElimN: 

— Last rule used is ElimN, we know that: 

u= Elimnorm(A, n/, /, t), and thus (u) = ((/) {rep (A) (nf) (t))) 

Y Elimnorm(A, n/, /, t) : {P {IdNorm{A,nf ,t))) 

From the rule ElimN we know that the following assertions hold: 

To make things clear, we can say that this is what is defined in Coq when we write 
the following definition: 

Inductive Indnorm [A:Set, nf:A — >■ A]:= indclass : A — >■ (Indnorm A nf). 

Where A and nf are parameters of the inductive type Indnorm. 
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(i) r hcxc"/ f -{s: A){P Class(^, n/, s)) 

Soby ind. hyp.: (T) hcic (/) : (s : {A)){{P) {inddass (A) (nf) {{nf) s))) 

(ii) P ^ ■ Norm(A, nf) 

So by ind. hyp.: {P) \~cxc {t) : {Indnorm (A) {nf)) 

(iii) P hcxc’^f P ■ Norm(A,n/) — >■ Sort. 

By lemma 1 and (ii), we have: 

{r) \~CIC {A) : Set, and {P) \~cxc {nf) ■ {A) {A) 

and so, from the type of rep we have: 

{r) \~cxc {rep {A) {nf) {t)) : {A) 

let us denote the term {rep {A) {nf) {t)) by v. By applying the typing rule 
for application, we can conclude that: 

{r) 'rcxc ((/) v) : {{P) {inddass {A) {nf) {{nf) s)))[s ^ v\. 

Therefore: 

{r) 'rcxc {u) : {{P) {inddass {A) {nf) {{nf) {rep {A) {nf) {t))))) (1) 

On the other hand, we can verify that: 

{P {IdNorm{A,nf d)))=cxc"f{{P) {inddass {A) {nf) {rep (A) {nf) {t)))) 
which is the type of {u) in (T)(Cf. (1)). So by the conversion rule of CIC we 
conclude that: 

{r) \~CXC {u) ■■ {P {IdNorm{A,nfd)))- 

The second property that we want in order to prove that CIC"^ is normalizing 
is that 0 preserves reductions (lemma 4). We need to prove first that () is 
coherent with substitutions, which is rather immediate. 

Lemma 3. If t = u[x u] is a term o/CIC"^, then {t) = (m)[x ^ {v)]. 

Proof. By induction on u and then by cases. We suppose without loss of gener- 
ality that all occurrences of a: in m are free. 

Now we can state the preservation of reductions: 

Lemma 4. For all well typed terms t\ and t 2 of CIC^^ , if t\ ^2 then 

(^i) (^ 2 )- 

Proof. By induction on ti. 

— Base case: ti = x, Extern, Set or Type, then ti is not reducible by 

— ti = {x : u)v, then {ti) = {x : {u)){v) the reduction is necessarily done on a 
strict sub-term of ti. There are two cases: 

1. t 2 = {x : u')v with u -^^p+nf u', then {t 2 ) = {x : {u')){v). By induction 

hypothesis, {u) {u'), thus (ti) = {x : {u)){v) {x : {u')){v) = 

{t2). OK. 

2. or t 2 = {x : u)v' with v v' , same argument. OK. 

— The following case are similar to the previous case: t\ = [x : u]v, t\ = lnd(a; : 
u)v, ti = Constr(i,w), t\ = Norm(u,u,w), t\ = Class(t, m, w, ic). 

— t\ = {u v), then (ti) = {{u) {v)), we distinguish two cases: 
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1. if the reduction is in a strict sub-term of ti, then the same argument as 
in previous cases holds again. 

2. if the reduction is on the head of ti, then it is a /3-reduction, ti = {\x : 
T]u' v), and t 2 = u'[x ^ ?;]. So (ti) = {[x : {T)]{u') {v)). By lemma 3 
{h) = {u')[x ^ (w)] and therefore (ti) { 12 ). OK. 

— ti = E\\m{ui,U 2 ,Vi,U 3 ){fj}, this case is similar to the previous one, giving 
details here would involve to define precisely i-reduction, which is rather 
long. 

— t\ = Elimnorm(A, n/, /, t), then (ti) = ((/) {rep {A) (nf) (t))), there are two 
cases: 

1. if the reduction is in a sub-term of ti, then the above arguments holds. 

2. if the reduction is done on the head of ti, then it is a n/-reduction, and 
we know that: 

• t = C\ass{A,nf,u) and therefore 

ih) = ((/) {rep (A) (nf) {C\ass{ A, nf ,u)))) 

= (if) (rep (A) (nf) {indclass (A) (nf) {{nf) (u))))). 

Which can be reduced by /3 and t to 

((/) (inf) (u)) 

• O = (/ {nf u)). and therefore (O) is equal to ((/) {{nf) {u))). 

We have proved that (ti) (O)- OK. 



3.3 Strong Normalization 

Theorem 1. If there exists an infinite reduction A starting from a well typed 
term t o/CIC"^ by then there exists an infinite reduction A' starting 

from a well typed term ofCIC ({f} ) by 

Thus is strongly normalizing on well typed terms. 

Proof. The reduction exists by iteration of lemma 4, and {t) is well typed by 
lemma 2. 



4 Conclusion 

We presented a method to specify a certain class of quotient. Our choice of a 
function instead of a term rewriting system as in [2] is motivated by the fact 
that functions are the computational object of the type theory. This allows to 
use a rather simple extension of CIC and its reduction. However, defining nf by 
a rewriting system remains a good idea for several reasons, in particular because 
it is possible to reduce in a term at any position, which is not possible in general 
with a recursive function and third it is more efficient. 

The class of quotients that we can represent this way is the same as for [2], 
i.e. quotient whose relation can be “oriented” into a computation. 

For nationals we can define nf as the function that reduces fractions to 
irreducible fractions, but one needs more work to have a nice definition of Q. 
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As we said in the beginning of the paper, focusing on a particular member of 
an equivalence class at the moment of computation can be seen as a weakness 
of our approach. But the fact that we use this artifice only when computing 
allows to stay at the level of equivalence classes when reasoning. Indeed, the 
terms Class (. . . ,01) and Class (. . . , (SI (PI 01))) are identified only at 
conversion level (of course they are propositionally equal) but are not reduced 
one to the other. 

Anyway it is clear that an implementation of normalized types should propose 
several principles as we said previously. It should by the way be interesting to 
see how automated induction methods as in [4] could be used to generate them 
automatically. Indeed, such methods are for example able to generate Normint 
of previous section. 

A Example: The Integers 

We shall now describe by an example the use of normalized types. We de- 
fine the integers (Z), using a type Int that has 3 constructors 0, S and P, 
and a function nf that eliminates the useless combinations: (S (P _)) and 
(P (S _)). To improve readability, we present this example as a pseudo Coq 
session. Coq is a tool that allows to interactively define, and type, terms of CXC. 
One way to define terms is to build them with a proof engine interactively by 
means of a set of tactics. We will suppose here that it has been extended to 
Actually, normalized types have only been axiomatized in the real Coq. Int , nf 
and I have been defined, in particular I has been proved. Of course when we use 
normalized types, we pretend that normalized types have been implemented in 
the system Coq, which is not the case (though it will be implemented in a non 
official version of the system in a short future). 

A.l Basic Definitions 

We assume that the propositional equality is defined like it is presently in Coq, 
i.e. as the least reflexive relation: 

Inductive eq [A: Set; x:A] : A->Prop := refl_equal : (eq A x x) 

We first define the underlying type Int: 

Inductive Int : Set := 0: Int I S: Int -> Int I P: Int -> Int. 

Then we define the function nf: 

Fixpoint nf [n:Int]: Int := 

Cases n of 
0 => 0 

I (S a) => Cases a of 

0 => (S 0) 

I (S y) => Cases (nf a) of 0 => (S 0) 

I (S x) => (S (S x)) 

I (P x) => X end 
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I (P y) => (nf y) end 
I (P a) => ... end. 

Notice that it is written for a head-first strategy. That way, a term of the form 
(nf (P (S (P x)))) will reduce to (nf (P x)), which is not the case with 
the more obvious function (the two terms are only provably equal). This is a 
weakness of the normalized types that we briefly discuss in the conclusion. 

A. 2 Definition and Use of the Normalized Type 

From now we still present the example in Coq syntax but it is supposed that 
the system has been modified to deal with normalized types as it is described in 
this paper. We define the normalized type representing Z: 

Definition Z: Set := Norm (Int,nf). 

Assuming that our notion of convertibility has been implemented in the sys- 
tem, Class(Z,nf,0) and Class (Z,nf, (S (P 0))) are convertible, therefore we 
can make the following proof of S' P 0 = 0: 

Lemma (eq Z Class (lnt,nf,0) Class (Int ,nf , (S (P 0)))). 

Exact (refl_equal Z Class(lnt,nf ,0)) . Save. 

Let us show now the definition of a function. We first define a function Idint 
on the underlying type and then we define IdZ on Z using Elimnorm and Mint: 
Definition Idlnt : Int -> Z := [x:Z] Class (Int ,nf ,x) . 

Definition IdZ : Z -> Z := [x:Z] Elimnorm(lnt ,nf , Idlnt ,x) . 

Now we can apply IdZ to several terms and see how it is computed. 

Eval Compute in (IdZ Class (Int ,nf , 0) ) = Class (Int, nf,0) 

Eval Compute in (IdZ Class (Int ,nf , (S (P 0)))) = Class(lnt,nf ,0) 

Let us follow step by step the second reduction: 

(IdZ Class (Int ,nf , (S (P 0)))) 

— Elimnormdnt ,nf , Idlnt , Class (Int ,nf , (S (P 0)))) 

-^nf (Idlnt (nf (S (P 0)))) -;>* (Idlnt 0) -)>* Class (Int ,nf , 0) 
Notice that because of the reduction —>■„/, (S (P 0)) is reduced to 0 before 
being applied to Mint, this is why the two terms above are reduced to the same. 
We see here an example of the way incoherence by t (explained in section 1) is 
avoided in our system: nf is applied before any i-reduction on a normalized term 
can occur. 

A. 3 Better Induction Scheme 

The following principle is a stronger elimination scheme in case that nf is idem- 
potent: 

Elim_A: (A: Set) (nf : A -> A) ((x:Int) (nf (nf x))= (nf x) ) 

-> (P: A -> Prop) (H:(s:A) (nf s = s) (P Class (A,nf , s) ) ) 
-> (t : (Norm (A,nf))) (P t) 

It is easily provable in and we can deduce from it a stronger elimination 

principle for Z. We have to prove is that nf is Mempotent, and then instantiate 
Elim_A: 
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Lemma I:(x:Int) (nf (nf x))= (nf x) . ...jiociics^Save . 

Lemma ElZ: 

(P : Z->Prop) (H: (x: Int) (nf x=x) (P Class (Int ,nf ,x) ))-> (t : Z) (P t) . 
which is already a better induction principle. We can build an even more useful 
one by defining inductive predicate Normint equivalent to the proposition (nf 
X = x) : 

Inductive pos : Int->Prop : =p0 : (pos (SO)) I pS : (x : Int) (pos x)->(pos (S x)) 

Inductive neg: Int->Prop : =n0 : (neg (P 0)) I pS : (x : Int) (neg x)->(neg (S x)) 

Inductive Normint: Int -> Prop := normO : (Normint 10) 

I normpos : (x:Int) (pos x) (Normint x) 

I normneg: (x:Int) (neg x) (Normint x) . 

Lemma Normint_correct : (x:Int) (Normint x) <-> (nf x = x) . ... Save. 
Finally we can replace one by the other and obtain the well known principle on 
Z: 

Lemma IZ: 

(P: Z -> Prop) (H:(x:Int) (Normint x) (P Class (Int ,nf ,x) ) ) -> (t:Z) (P t) 



B The Calculus of Inductive Constructions 

Here is a short description of the calculus of inductive constructions first defined 
in [7], following notations of [14] and [12]. We first give the syntax, then the 
typing and reduction rules. 

The Syntax is the following: 

Variables: V ::= x,y, z . . . 

Sorts: S ::= Set | Type | Extern®. 

Terms: 

T ::=V \ S \ [V :T]T \ {V : T)T \ TT 

I lnd(V : T){T) \ Constr(n,T) n G IN | Elim(T, T, T, T){T} 
Ind, Constr and Elim are respectively the type constructor, term constructor 
and destructor for inductive types. 

Reduction of CIC is the congruent closure of [3 and /.-reductions. See [14] for 
precisions on the term A[ti,ts,t 2 ]- It roughly applies the good arguments (to) 
to the branch (/fc) of the recursive definition. 

{[x:t]tit2) -^/3h[x\t2] 

Elim(/, Q, a, Constr(/c, /')m){/i} {A[Ck(I), fk, Fun-Elim{I, Q, fi)]m) 

where I = lnd(V : A){Ci{X)} 



The type system 



(Axi)[] h Set : Type (AX2)[] l~ Type : Extern 



(Prod-s) 



r :: {x : ti) h *2 
r \- {x : ti)t2 : 



: s 



s 



(Lam-s) 



r \- {x : ti)t2 ■ s r :: (x : ti) \- t : t2 

r \- [x : ti]t : {x : ti)t2 



® it is possible to replace Extern by a universe hierarchy, actually it is the case for the 
system implemented in Coq and Lego, it seems not difficult to extend our work to a 
universe hierarchy. 
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(W-Set) 

(Var) 



r\- t: Set r\- A: B a^B 



r A - B 

r ti : t 2 {x : ti) e r 



(W-Type) 



r h t : Type B A : B B 



B X : t-i 
Bh t-.Ti 



(App) 



B y. {a ■. t) A ■. B 
B\-t 2 -.{x: Ti)T 2 Bhti-.Ti 



Bh Ti : s BhT 2 
r h t : T, 



B h (*2 ii) : T2[x i 

Tl =/3i T 2 



■ti] 



(Ind) 



(CONV)- 

Ar(A, Set) B h A : Type Vi.(r :: {X ■. A) h Ci(X) : Set) \/i.constr(Ci(X)) 



(Intro) 



B h lnd(A: : A){Ci(X)} : A 

B h lnd(X : A){Ci(X)} : T 1 < n <| Ci(X) \ 

{B h Constr(n, lnd(X : A){Ci{X)}) : C„(lnd(X : A){Ci(X)})) 



(W-Elim) 



(S-Elim) 



A = (x-.A)Set / = lnd(X : A){Ci(X)} Bhu -.A B h t ■. {I u 
B h Q : [x A){I x) — >■ Set Vi.{B h fi : A{Ci{I), Q, Constr)!, /)}) 

B h Elim(7, Q, u, t){fi} : (Q u t) 

A=(x:A)Set / = lnd(X : A){Ci(X)} B h u : A B h t ■. (I u) 
B h Q ■. {x : A){I x) Type 

\/i.Small{Ci(X)) Vi.{B h fi : A{Ci{I), Q, Constr(i, /)}) 

B h Elim(/, Q, u, t){fi} : {Q u t) 



The system is composed of the usual set of typing rules for a pure type system 
(PTS) and a specific set of rules for inductive types (Ind and below). 

The Elim rules make use of the term A{Ci{I), Q, Constr(z, /)}, which is again 
defined in [14], that builds the type that each branch of a recursive function 
defined with Elim should have. 

The constructions constr{Ci{X)), ^r(A,Set) and Small{Ci{X)) are very im- 
portant syntactic conditions that must be satisfied to ensure normalization and 
coherency of the system. There exact formulation is not very important for us, 
the important point is that the resulting calculus has nice properties like strong 
normalization, confluence and subject-reduction, and that normalized types can 
therefore be define from it. 
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Abstract. In this paper we show how to extend a constructive type the- 
ory with a principle that captures the spirit of Markov’s principle from 
constructive recursive mathematics. Markov’s principle is especially use- 
ful for proving termination of specific computations. Allowing a limited 
form of classical reasoning we get more powerful resulting system which 
remains constructive and valid in the standard constructive semantics of 
a type theory. We also show that this principle can be formulated and 
used in a propositional fragment of a type theory. 



1 Introduction 

1.1 Overview 

The main goal of this paper is to support limited classical reasoning in a generally 
intuitionistic framework. We use a squash operator for this purpose. This oper- 
ator can creates a proposition stating that a certain type is non-empty without 
providing an inhabitant, i.e. squash “forgets” proofs. It was first introduced in 
[6] and also used in [15] and MetaPRL system [9,10]. Using squash it is possible 
to define the notion of squash-stability, which is similar to self-realizability. 

The squash operator can be considered as a modality. The propositional logic 
equipped with this modality can express a principle that allows turning classical 
proofs of squash-stable propositions into constructive ones. This principle is 
valid in a standard type theory semantics if we consider it in the classical meta- 
theory. Therefore this principle does not destroy the constructive nature of type 
theory in the sense that we can always extract a witness term from a derivation. 

It turns out that this principle implies Markov’s principle providing us a 
propositional analog of Markov’s principle. It is rather surprising that such ana- 
log exists because normally one needs quantifiers in order to formulate Markov’s 
principle. 

We also show an equivalent way of defining the same principle using a mem- 
bership type instead of the squash operator. 

’* This work was partially supported by AFRL grant F49620-00- 1-0209 
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1.2 Markov’s Constructivism 

Constructive mathematics is interesting in Computer Science because of program 
correctness issues. There are several approaches to constructivism (see [4,5,19] 
for an overview) . We are especially interested in the constructive recursive math- 
ematics (CRM) approach developed by Markov [12,13] and in constructive type 
theories (especially those that are based on Martin-L6f type theory [14]) since we 
believe them to be highly relevant to Computer Science. In this paper we demon- 
strate how to apply the ideas of CRM to a constructive type theory thus creating 
a more powerful type theory that combines the strengths of both approaches to 
constructive mathematics. 

According to Markov’s CRM approach, all objects are algorithms, where 
algorithms are understood as finite strings in a finite alphabet. All logical con- 
nectives are understood in a constructive way. That is, a statement is true if 
and only if there exists an algorithm that produces a witness of this statement. 
For example, the witness for Vx.A(x) V -'A^x) is an algorithm that for a given x 
tells us either that A{x) is true (and provides a witness for A{x)) or that ^A{x) 
is true (and provides a witness for ^A{x)). That means that 'ix.A{x) V -'A(a;) 
is true only for decidable predicates A. Since not all predicates are decidable, 
Markov’s school has to reject the rule of excluded middle. 

Note that a witness of a proposition does not “prove” that proposition. For 
example, Vx.A(x) V -'A{x) is true when there is a decision algorithm for A, but 
it does not mean that there is a proof ^ that this algorithm works properly (i.e. 
always terminates and gives the correct answer). In this respect the construc- 
tive recursive mathematics differs from the Brouwer-Heyting-Kolmogorov’s in- 
tuitionism. We will return to the topic of differences between “proof witnesses” 
and “algorithm witnesses” in Section 1.4. 

The question arisen in the CRM is which means is one allowed to use in 
order to establish that a particular algorithm is indeed a witness for the given 
proposition? This is not an obvious question since the termination problem is 
undecidable. Even if algorithm terminates for every input, we can not test it 
explicitly, because there are infinitely many possible inputs. But to establish 
that an algorithm is applicable to an object a, the algorithm does not have to 
be executed explicitly from the beginning to the end. According to Markov [13] 
we can prove this by contradiction. That is, we are allowed use some classical 
reasoning to prove that a particular algorithm has some particular properties. 



1.3 Markov’s Principle 

The Markov school uses the intuitionistic predicate arithmetic with an additional 
principle (known as Markov’s principle): 

^x.{A{x) V -iA(a;)) — >■ -^-'Bx.Al^x) — >■ 3x.A(x) (1-1) 

^ In this paper we use terms proof and derivation interchangeably. 
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where variables range over natural numbers. Note that this principle does not 
hold for Brouwer-Heyting-Kolmogorov’s intuitionism, thus Markov’s principle 
distinguishes these two schools of constructivism. 

Here is the justification of this principle in the CRM framework. Assume 
Va;.(A(x) V -•A{x)). Then there exists an effective procedure that for every x 
decides whether A{x) or ~'A{x). To establish (1.1), we need to write a program 
that produces the witness of 3x.A(x). We can achieve that by writing a program 
that will try every natural number x and check A(x) until it finds such an x 
that A{x) is true. We know that it is impossible that such x would not exist 
(because of ^-~3x .A{x)) . Therefore it is impossible that this algorithm does not 
terminate. Hence according to recursive constructivism it eventually stops. 

Markov’s principle is an important technical tool for proving termination 
of computations. Adding Markov’s principle to a traditional constructive type 
theory would considerably extend the power of the latter in a pivotal class of 
verification problems. 



1.4 Type Theory 

We assume the type theory under consideration adheres to the propositions-as- 
types principle. This principle means that a proposition is identified with the 
type of all its witnesses. A proposition is considered true if the corresponding 
type is inhabited and is considered false otherwise. This makes terms an element 
of a type and a witness of a proposition synonyms. The elements of a type are 
actually A-terms, i.e. programs that evaluates to a “canonical” element of this 
type. 

We also assume that the type theory is extensional. That is, to prove that 
a term / is a function from A to B, it should be sufficient to show that for 
any a € A the application fa eventually evaluates to an element of the type B. 
This allows us to deal with recursive functions that we can prove will always 
terminate. We will use the fix operator to define recursive functions, where 
fix(/.p[/]) is defined as {\x.p[xx\){\x.p[xx\), i.e. fix is the operator with the 
following property fix(/.p[/]) i— >■ p[f±x{f.p[f])]. Although the general typing 
rule for fix 

f : A ^ Ah p[f] gA^A 

h fix/.p[/] G A -)> A 

is unsound, but for some particular p we can prove that fix(/.p[a;]) is a well- 
typed function. 

Note that in an extensional type theory a witness of a proposition T is not the 
same as a derivation of a proposition T. In general, a witness (i.e. an element) of 
the type T may potentially range from full encoding of some derivation of T to 
a trivial constant. For example, if V is an empty type, then every function has 
type V — >■ W, e.g. a function Xx.foo is an element of (A A ~^A) — >• T (although 
Xx.foo does not encode any derivations of proposition (AA-iA) — >• T). Note that 
the question of whether a particular term is a witness of a particular proposition 
is in general undecidable. 
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We assume that the type theory has a membership type - “t G T” which 
stands for the proposition “t is an element of type T”. The only witness of a 
membership proposition is a special constant 

We assume that t G A implies A. The inverse should also be true: 

Property 1.1. If we can prove P \- A then there is a term t such that P \- t G A. 

Remark 1.2. The reason we want judgments of the form P \- T and not just 
P \- t G T \s that we are interested in type theories that can be used as a 
foundation for theorem provers. In a theorem prover situation we want user to 
be able to state and prove a judgment of the for T h T and have the system 
“extract” t from the resulting derivation instead of being required to figure out 
and provide t upfront. 

In this paper we present several formal derivations. These derivations were 
machine-checked in the MetaPRL system [10]. The rules used in those derivations 
are summarized in Appendix A. The results of Sections 2, 3 and 4 are valid for 
any type theory containing this set of rules and satisfying Property 1.1. The 
results of the sections Sections 5 and 6 also require an intentional semantics. 
NuPRL is an example of a type theory that satisfies all these constraints. 

However, most of our ideas can be easily applied to an even wider class of 
type theories. For example, typing rules are not really essential. Additionally, 
we do not need a membership type to express Markov’s principle, we can use 
the squash operator instead (Section 4). And as Section 7 shows, our form of 
Markov’s principle can be used even in a purely propositional fragment of type 
theory without arithmetic and quantifiers. 

2 Constructive Recursive Mathematics in a Type Theory 
with a Membership Type 

Suppose one has proved that A implies t G T and -lA also implies t G T. 
Then classically we can conclude that T is inhabited. Moreover the philosophy 
of recursive constructivism allows us to conclude that T is true constructively, 
because we can explicitly provide a constructive object t as an element of T. 
In other words, since the witness of T (which is just t) does not depend on the 
proof oi t GT, then T has a uniform witness regardless whether A is true or not 
(although the proof that f is a witness of T may depend on A). 

This argument establishes that the following type theory rule is valid accord- 
ing to recursive constructivism: 

P] X : A \- t G T P; y : -•A \- t G T PGA Type 

P G tGT (2.1) 

This rule formalizes exactly the philosophy of the recursive constructivism. 

MetaPRL system [9,10] uses the unit element () or “it” as a •, NuPRL uses Ax and 
[18] uses Triv. 



2 
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Remark 2.1. Note that in NuPRL-like type theories t € T is well-formed only 
when t is in fact an element of T. Therefore the rule stating that -■-'(t G T) 
implies t GT would be useless. On the other hand, in NuPRL type theory (2.1) 
is equivalent to 

r G (sgt) r g (igt) r g = t g t) 



r G s = tGT (2.2) 

but the proof of (2.2) (2.1) is very NuPRL-specific. 



3 Squashed Types and Squash— Stability 



Below we will assume that our type theory contains a “squash” operator. For 
each type A we define a type [A] ( “squashed A” ) which is empty if and only if 
A is empty and contains a single element • when A is inhabited. Informally one 
can think of [A] as a proposition that says that A is a non-empty type. 

We define the squash operator as a primitive type constructor with the 
following rules (cf. [15])^: 



r G A 
FG [A] 



'{Isq) 



r G A 
r h • G [A] 



■{Ms,) 



r-,x: A] AG [b] 

{Esq) {v, X are not free in A, B) 

r;v:[A]; A G [b] 
r G [tGT] 

IM ember shipSqstable) 

r G tGT 

r G A Type 

Tn 

r G [A] Type 

Note that {Esq) and {Member shipSqstable) can be replaced by one rule 
E;x:A; Z\[*] G tGT 

^ ; {E?„) (v, X are not free in A, t, T) 

T-,v. [A]; A[v] GtGr^ 

The {Isq) rule allows us to prove that Ah [A]. Note that [A] does not 
imply A, because [A] does not provide a witness for A. We can only derive that 

[a] h —I— 'A. 

Squash operator allows us to formulate an important notion of squash sta- 
bility. Although [a] does not provide a witness for A in general, in some cases 

® In a type theory that has a set type (also sometimes called “subset type” ) construc- 
tor, the squashed type [a] can also be defined as {x : Unit | A} where Unit is a 
singleton type which contains only • and a; is a variable that does not occur in A. 
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we know what witness would be in the case when A is non-empty. For example 
we know that if t G T is true, then • is the witness for the type t G T. We will 
refer to such types as squash-stable types. For such types we can conclude that 
[A] F A. 

Definition 3.1. A type T is squash-stable (in context F ) when F; x : T \- t gT 
is provable for some t that does not have free occurrences of x. 

Using squash operator we can formulate the squash stability as a proposition 
in a type theory. 

Lemma 3.2. T is squash-stable in a context F if one can derive 

F;v:[t] ft 

Proof. Suppose T is squash-stable. Then we have the following derivation of 
T; v:[t] F T: 

F; x : T \- t € T 

F;v:[t] F t G 
F;v:[t] ft 

Now assume that F; v : [t] FT. Then for some term t we have F; v : [t] F 
t £ T. Term t may depend on v, i.e. v may be a free variable of t. Let t = t[v]. 
Now let x be an arbitrary variable not occurring freely in t. Now we can derive 
the following: 



T; a; : T F T 

T; X : T F • G [t] T; u : [t] F t[v] G T 

(Let) 

T; X : T F t[»] G T 

Therefore T is squash-stable. 

We have already seen that t G T is a squash-stable type. Squash type itself 
is also squash-stable because we know that • G [t 1] whenever [A] is true. Other 
examples of squash-stable types include empty type (T), negations of arbitrary 
types (-'A). Note that conjunction of two squash-stable types is also squash- 
stable. But a disjunction of two squash-stable types is not necessarily squash- 
stable since there is no way to figure out which of the disjuncts is true when we 
only know that at least one of them must be true. 

4 Classical Reasoning on Squashed Types 

Squash operator gives us an alternative way of formulating constructive recursive 
mathematics in a type theory. Let us consider a problem similar to the one we 
have considered in Section 2. 
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Suppose we have constructively proved that A ^ B and (~'A) — >■ B. It means 
that there is an algorithm that produces an element of B when A is true, and 
another algorithm that produces an element of B when A is false. Classically we 
know that B is true, because in each case we can produce an element of B. But 
in the case when A is undecidable, B is not necessary known to be constructively 
true, since we do not have a uniform algorithm for producing an element of B. 
In intuitionistic mathematics we can only prove -<-<B in this case. 

Now suppose B is squash-stable. Then there exists an element b, such that 
b G B whenever B is non-empty. We know that B is not an empty type regardless 
of whether A is true. The constant algorithm that returns b does not depend on 
the truth of A. Therefore in constructive recursive mathematics we can conclude 
that B is constructively true, because we have an element b such that b G B. 

This reasoning establishes the following rule: 

r-,x:AGB r-,y.^AGB B; v: [b] h B T h AType 

r G B (4.1) 

This rule allows us to turn classical proofs of squash-stable statements into 
constructive ones. It is clear that rule (2.1) from Section 2 is a particular instance 
of (4.1). We will show that these two rules are in fact equivalent. We can also 
write a simpler version of the same rule: 

r h r h AType 

r h [A] (4.2) 

This rules states that [A] -i-iA or informally, A is o non-empty type if and 
only if it is not an empty type. 

Another way to formulate the same principle is to allow classical reasoning 
inside squash operator: 



r h AType 

T h [A V -A] (4.3) 

The following two theorems state that all the above rules are equivalent and 
that they imply Markov’s principle. This shows that we can formulate Markov’s 
principle in a very simple language - we only need propositional language with 
the modal operator “squash” . 

Theorem 4.1. The rules (2.1), (4.1), (4.2) and (4.3) are equivalent. 

Proof. (4.1) (2.1). Take B = (t G T). We know that t G T is squash stable, 

therefore we can apply rule (4.1) to derive (2.1). 
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(2.1) ^ (4.2). 



r h ->->A y : -I A; z : -i-^A h _L 



-{Cut) 



r-,x:Ah A r-,y:^Ah± 

F; X : A \- • G [^] F; y : ->A h • G [A] T h ^ Type 



T h • G [^] 
F h [A] 



-( 2 . 1 ) 






(4.2) ^ (4.3). 

It is easy to establish that -■-■(GlV-'Gl) is an intuitionistic tautology. Therefore 
we have the following derivation: 



(4.3) ^ (4.1). 



F h GlType 
F\-^^{A\/^A) T h AType 

r h [A V -A] 

F; x: Ah B F; y : ^A h B 



( 4 . 2 ) 



F h A Type 
F h [A V -A] 



( 4 . 3 ) 



T; z A\! —^A h B 
F] z A\! —^A h [i?] 
F; V : [A\/ ~'A\ h [s] 



-(^v) 



{Is. 



(Esq) 



F; [B] h B 



F h B 



-{Cut) 



Theorem 4.2. Using one of these rules one can prove Markov’s principle in a 
type theory: 

Vx : N.(v4(a;) V -'.4(x)) — >■ -■-'dx : N.A(x) — >■ Bx : N.2l(x) 

Proof. We need to show that the following sequent is derivable: 

d : Vx : N.(T(x) V -'2l(x)); v : -•-•Bx : N.T(x) h 3x : N.Gl(x) 

The proof is just a formalization of Markov’s reasoning [13]. We are given the 
element d of the type Vx : N.(Gl(x) V -'A(x)). That means that d is an algorithm 
that given a natural number x decides whether A{x) holds. Now we construct a 
function fd that would find an x such that A{x). Let fd be the following function 

f±x(^f.Xx.decide[d{x); a. (x, a ) ; b.f{x + 1))^ 

that is a function such that 

(x, a) , if A{x) is true and a G ^(x) 



fd{x) = 



fd{x + 1), if A{x) is false 




578 



Alexei Kopylov and Aleksey Nogin 



If we are given natural n such that A(n) is true, then we have a bound for 
computation of f{n — k). One can prove that Vfc < n.fd{n — k) € 3x : N.A(a;) 
by induction on k. Therefore fd(fi) G 3x : N.A(a;). Then we have the following 
derivation: 

d : Vx : N.{A{x) V -A(x)); n:N;u: A{n) h fd{0) G 3x : N.A(x) 

(Eb) 

d : Vx : N.(A(x) V -A(x)); 3x : N.A(x) h fd{0) G 3x : N.A(x) 

r T (E^sn ) 

d : Vx : N.(A(x) V -^(x)); [3x : N.A(x)] h /^(O) G 3x : N.A(x) 

Now we are left to show that -'-'3x : N.A(x) implies [3x : N.A(x)] . This is true 
because of the rule (4.2). 

5 Semantical Consistency of Markov’s Principle 

Theorem 5.1. The rule (4.3) (as well as its equivalents - (2.1), (4.1) and (4.2 ) ) 
is valid in S. Allen’s semantics [1,2] if we consider it in a classical meta- theory. 

Proof. We need to show that T h [A V -■A] is true when A is a type. It is clear 
that [a V -iA] is a well-formed type. To prove that it is a true proposition we 
have to find a term in this type. Let us prove that • is the witness of [A V -■A] . 
Since we are in a classical meta-theory, for every instantiation of variables in- 
troduced by r, A is either empty or not. If A is non-empty, then A V -<A is 
non-empty and so • G [A V -■A] . If A is an empty type, then -<A is non-empty 
type and so, • is again in [A V -■A] . Therefore • G [A V -■A] always holds. 

Note that we can not prove that T h A V -■A is valid even using a classical 
meta-theory, because there is no uniform witness for for A V -■A. 



Corollary 5.2. The rule (4.3) (and its equivalents) is consistent with the Nu- 
PRL type theory containing the theory of partial functions [7]. 

Note however that the rule of excluded middle T h A V -■A is known to be 
inconsistent with the theory of [7]. In particular, in that theory we can prove 
that there exists an undecidable proposition. That is, for some P the following 
is provable: 



-■(Vn : N.P{n) V -•P{n)) (5.1) 

Therefore even using rule (4.3) we can not prove that 

[Vn : N.P(n) V -■P(n)] 

(which would contradict (5.1)). But we can prove a weaker statement 

Vn : N.[P(n) V -■P(n)] 



that does not contradict (5.1). 
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6 Squash Operator as Modality 

The squash operator can be considered as an intuitionistic modality. It turns 
out that it behaves like the lax modality (denoted by Q) the Propositional 
Lax Logic (PLL) [8]. This logic was developed independently for several different 
purposes (see [8] for an overview). 

PLL is the extension of intuitionistic logic with the following rules (in Gentzen 
style): 

r \~ A r-, Ah- [b] 

r h [A] r; [A] h [B] 

PLL+ is PLL+(^[t]), i.e. PLL+ has an additional rule: 

B; Ah 1. 

B; [^] h T 

PLL* is PLL++([A] o - 1 - 1 ^). We can write this axiom as the rule in Gentzen 
style: 

B;^Ah ± 

Bh [A] 

PLL+ and PLL* are decidable and have natural Kripke models [8]. They meet 
cut elimination property. PLL’’' has the subformula property. PLL* also has the 
subformula property if we define -'A to be a subformula of [A] . 

Theorem 6.1. Let A he a propositional formula with the squash modality. Let 
B be a set of hypothesis of the form x : (pType) for all propositional variables p 
in A. Then 

(i) PLL^ h A iff B h A is derivable in the type theory without 4-3 

(ii) PLL* h A iff B \- A is derivable in the type theory with 4-3 

Proof. From left to right this theorem can be proved by induction on derivation 
in PLL’*' (PLL*). The right to left direction needs a semantical reasoning. We 
will only outline the proof for PLL*. 

Let A' be the formula A where all subformulas of the form [s] are replaced 
by -'-'B. If T h A is derivable in the type theory with 4.3 then this sequent 
is valid in the standard semantics in classical meta-theory (Theorem 5.1). Since 
[s] O -i-iB is true in this semantics then T h A' is also true. A' is a modal-free 
formula. Therefore A' is a valid intuitionistic formula. Hence A' is derivable in 
the intuitionistic propositional logic. Since we have \b\ -i-ii? in PLL*, we can 
derive A in PLL*. 



Remark 6.2. It is possible to consider the lax modality in PLL+ as the diamond 
modality in the natural intuitionistic analog of S4 (in the style of [20]) with an 
additional rule OA o A. Note that since in intuitionistic logics □ and O are not 
interdefinable, OA A does not imply OA o A. 
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Example 6.3. We can prove some basic properties of squash in PbL"*": 

-i-iA 



A 
A 
AAB 



•H- 



[A]] 

_ ([a] A [i?]) 

A — >■ S] — > ([a] [i?]), but ([a] — ^ [_B]) — >■ [a — >■ S] is true only in PLL* 

a] -h- ^[A] 

( [a] V [s] ) ~> [ A V i?] , however [A V B\ ^ [A] V [B] even in PLL* 



We can express the notion of squash-stability in this logic as sqst{A) = 

[A] ^ A. 

Example 6.4. The following properties of squash-stability are derivable in PLL'’': 
sqst{E) 
sqst{-<A) 
sqstl[A]) 

sqst{A) A sqst{B) — >• sqst{A A B), but sqst{A) V sqst{B) sqst{A V B) 
sqst{B) — >■ sqst{A — >■ B) 

In PLL* we can also prove 

sqstl^A^ — )■ (—'—'A — )■ A) 



7 Example: What Logic Do We Use in the Court? 

It is clear that we do not use pure classical logic in the court. Let us consider 
the following cases. 

Case 7.1. One night a jewelry shop was robbed. The same night a barber shop 
was robbed in another town. It was clear that these two robberies were com- 
mitted by different people. There were two suspects, X and Y for both cases. 
It was determined that no one else could have committed these crimes. Is this 
information enough to sentence someone? 

Let us formulate this problem in logic. Let 

— J stand for “the jewelry shop was robbed” , 

— Jt stand for “t is guilty in the robbing of the jewelry shop”, 

— B stand for “the barber shop was robbed”, 

— Bt stand for “t is guilty in the robbing of the barber shop” , 

— Gt stand for “t is guilty”, 
where t is X or F. 

We know the following: 

1. J A i? (the jewelry and barber shops were robbed) 

2. {-•Jx A -'Jy) — >■ -'J (no one but X or Y robbed the jeweler) 

3. {-'Bx A -'By) -A -'B (no one but X or Y robbed the barber) 

4. -•{Jt A Bt), where t = X,Y (no one could rob both shops) 

5. Jt ^ Gt, where t = X,Y (Criminal Law) 

6. Bt ^ Gt, where t = X,Y (Criminal Law) 
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Using this assumptions one can classically prove Gx and Gy- Here is the 
proof that X is guilty in the prosecutor’s words. 

“X is guilty! Only X and Y could rob the jeweler. If X robbed the jewelry 
shop, then he is guilty. Suppose for a moment that X is innocent in this robbery. 
Then Y robbed the jewelry shop. Therefore he could not have robbed the barber. 
Hence the barber was robbed by X, because no one else did this. Again X is 
guilty.” 

Should the jury accept this classical reasoning? Even if they were convinced 
by the prosecutor, they would be unable to bring in a verdict of “guilty” on X 
since such verdict must specify a particular crime of which X is found guilty. This 
is especially clear if the punishment for robbing jewelry shops is different from 
the punishment for robbing barber shops. Judge would not be able to “extract a 
constructive element” (i.e. determine the sentence) from the prosecutor’s proof. 

In terms of Section 3, Gt is not a squash-stable proposition. 

Case 1.2. The jewelry shop was robbed again. Now there were three suspects, 
two twin brothers X and U, and their friend Z . At the trial, it was determined 
that only A, Y and Z were able to commit the robbery. It was also determined 
that the shop was robbed by at least two robbers. One of the twins X or Y was 
seen in another town at the night of the crime, but unfortunately, since they are 
twins, there was no way to determine exactly who it was. Can jury find someone 
guilty? 

It is easy to see that we can prove that Z is guilty using classical reasoning. 
But as we have learned from the previous case classical proofs are not sufficient in 
court. However this case differs from the previous one! We can prove (classically, 
of course) not only that Z is guilty, but also that Z is guilty of a particular 
crime. Therefore the judge has enough information to pass sentence on Z. 

In the terms of Section 3 we can said that while the proposition “Z is guilty” 
is not squash-stable, the proposition “Z robbed a particular jewelry store on a 
certain date” is squash-stable (since we know how to pass a sentence when this 
proposition is true). This assumption together with the rule (4.1) allows us to 
bring Z to justice. 

Here is a formal constructive proof (again Jt stands for “t robbed the jewelry 
shop” and Gt stands for “t is guilty”): 

A or y has two of suspects suspects 

an alibi are robbers robbers 

I 'Jy -•Jy h Jx A Jz -,j |- jyAJz Jz is squash-stable 

(Cut) — ^ 

Jx I" Jz -•Jx Jz [Jz] Jz 

, (4-1) 

b Jz 

(Criminal Law) 

b Gz 
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8 Related Work 

Our notion of squash-stability is very similar to the squash-stability defined in 
[9, Section 14.2] and to the notion of computational redundancy [3, Section 3.4]. 

The squash operator we use is similar to the notion of proof irrelevance [11,17]. 
Each object in a proof irrelevance type is considered to be equal to any other 
object of this type. In [17] proof irrelevance was expressed in terms of a certain 
modality A. If A is a type then A A is a type containing all elements of A consid- 
ered equal. Using NuPRL notation we can write AA = Aj jTrue, where Aj jP 
is a quotient of a type A over relation P . We can prove the following chain: 

A ^ AA ^ [A] ^ ^^A 

The main difference between [A] and AA is that there is no uniform element for 
AA. Therefore AA is not squash-stable and [A] does not imply AA. However it 
seems that modal logic of A modality is the same as logic of squash (i.e. PLL+). 

As far as we know Markov’s principle in type theory was considered only by 
Erik Palmgren in [16]. He proved that a fragment of intentzonoZ Martin-L6f type 
theory is closed under Markov’s rule: 

P h -i-ida; : A.P[x] 

P \- 3x : A.P[x] 

where P[x] is an equality type (i.e. P[x\ is t[x\ = s[x] G T. It is easy to see that 
this formulation of Markov’s rule is not valid for type theories with undecidable 
equality and, in particular, in extensional type theories. 



A The “Minimal” Set of Rules 



The judgments of the type theory are the sequents of the following form 

xi : Ai;x 2 : A 2 [a;i]; . . . ; a;„ : A„[xi, . . . , a;„_i] h C[xi,...,Xn] 

This sequent is true if we have a uniform witness t[x \, . . . , x„] such that for every 
xi, . . . ,XnAxi G Ai[xi,. . . , Xi-i] then t[xi, . . . , x„] is a member of C[a;i, . . . , Xn]- 
The inference rules are presented below'^. For every type constructor we have 
a well-formedness rule (W), an introduction rule (/), an elimination rule (E) 
and a membership introduction rule (M). 

Syntax rules: 

r-A\-A r-,x-.A-,A\-C rhagA r-,x-.A\-C[x 



r-x:A-A[x]\-A(^^^ 

Membership: 

r\-teA ztja 

ri-(igA)TypeU''el 
r-,x:A-,A[x]\-xGA 



r-,A\-c 



r\-C[a] 



-{Let) 



( 4 ) 



rhtgA 

ri-»g(tgA) 

rhtgv 

r\-A 



(Mg) _ri-.g(AType) (-^Type) 






^ Some of this rules are redundant. For example most of introduction rules are deriv- 
able from their membership introduction counterparts. The (Let) rule is derivable 
from the {Cut) rule using function type. 
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Disjunction: 

rhAType 



r\-A\/B Type 
THA (^1) THB 



r^AwB ^ 



r\-A-iWA2 



{ID 



Universal quantifier: 

r;a:AhB[a:] Type 
ri-Va::A.B[a:] Type V 
r \x'.A\- B[x] ( T \ 
rh'ix:A.B[x] 

Existential quantifier: 

r;a::AhB[a:] Type x 

ri-aa::A.B[a:] TypeU'^^j 
r\x:A\~a^A r\x\A\- B[a] 
rh3x:A.B[x] 

False: 

{WA 



{h) 



ri-_L Type 



Computation: 

where b 

Arithmetic: 

Induction, etc 



BhagA 



AMD 



ri-inlagAVBV^’^-‘Vt 
B;a::A;A[inl a:]l-C[inl a:] 



r;z:A;A[z]VBhC[z] 



rhinr 6gAvBV-'*^vl 
r\y.B\A[ixir y]hC[inr y] 



r-x-.A\-fx^B[x 



r\-feVx-.A.B[x 
r-J-.Vx-.A.Blx 
r-J-.Vx-.A.B[x];A[f]\-faeB[a] 



r-J:Vx:A.Blx];Alf]ha^A 



(M3) 



r\x:A\~a^A r',x:A\-b^B[a] 
r\-{a,b)^3x:A.B[x] 
r-,x:A;y:B[x]-,A[{x,y}]\-C[{x,y}] , p ^ 
r;z:3a;:A.B[a;];A[zll-C[z] 



B;a::_L;A[a;]l-C {Ea) 



Usual reduction rules: Xx.alx] b 



{ED 



z[6], etc 



We assume the following definitions: 



A ^ B = \fx : A.B A A B = 3x : A.B, where x is not free in B 
^A = A — >■ _L fix(/.p[/]) = (Ax.p[a;x])(Aa;.p[a;a;]) 

We can establish the property 1.1 in this fragment by a straightforward in- 
duction on the derivation. 
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Abstract. This paper describes a calculus of partial recursive func- 
tions that range over arbitrary and possibly higher-order objects in LF 
[HHP93]. Its most novel features include recursion under A-binders and 
matching against dynamically introduced parameters. 



1 Introduction 

Logical frameworks are meta-languages that are designed to represent deductive 
systems [Pfe99], but not all provide the functionality necessary to manipulate 
those representations. For the class of logical frameworks based on inductive 
definitions such as in Isabelle/HOL [Pau94] and Coq [DFH+93,PM93] the con- 
nection to programming has been thoroughly studied and is well understood. 
However it is not at all well understood for logical frameworks that support true 
higher-order encodings such as LF [HHP93]. In this paper we study this par- 
ticular connection and present a calculus of recursive functions that manipulate 
higher-order, dependently typed encodings. 

LF allows concise and elegant encodings of many inference systems including 
their side conditions, such as natural deduction, sequent calculi, type systems, 
operational semantics, compilers, etc. It draws its expressive power from depen- 
dent types together with higher-order representation techniques both of which 
directly support common concepts in deductive systems such as variable bind- 
ing, capture-avoiding substitutions, parametric and hypothetical judgments and 
substitution properties. The fact that these notions are an integral part of the 
logical framework would seem to make it an ideal candidate to not only reason 
within but also to express functions about various inference systems. 

Unfortunately, those higher-order representation techniques generally clash 
with common programming techniques. The problem arises as a side effect of 
the higher-order nature of encodings because recursive calls may have to traverse 
A-binders. This stands in direct conflict with the central requirement of standard 
inductive types. The positivity condition [PM93] rules out most datatype defi- 
nitions that seem natural in LF. Carelessly mixing higher-order representation 

* This work was sponsored by NSF Grant CCR-9619584 and by the Advanced Re- 
search Projects Agency CSTO under the title “The Fox Project: Advanced Lan- 
guages for Systems Software”, ARPA Order No. C533, issued by ESC/ENS under 
Contract No. F19628-95-C-0050. 
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techniques with function definition by cases and recursion triggers the problem 
of exotic terms which undermines the adequacy of encodings. 

In functional programming languages, arguments to functions are typically 
closed and therefore functions need not be defined on free parameters. We call 
this property the closed world assumption. In fact, the positivity condition im- 
plies the closed world assumption, and is built into all logical frameworks based 
on inductive definitions such as Coq and Isabelle/HOL. However, when program- 
ming with higher-order encodings, the closed world assumption is too restrictive. 

Higher-order encodings make frequent use of abstraction as a means to rep- 
resent variable binding. For example, in a higher-order logical framework such 
as LF or the simply typed A-calculus, the identity function ‘fn x ^ x’ may 
be represented as ‘lam (Xx.x)’ for some constant lam. Under the closed world 
assumption, however, there is no reasonable scheme for recursion and function 
definition by cases because recursive calls may have to traverse A-binders. 

In this paper, we propose a solution to the tension between closed worlds 
and higher-order encodings. We propose to weaken the closed world assumption 
and allow arguments to be open and depend on parameters. Worlds must not 
be arbitrary; on the contrary they must be regularly formed in order to allow 
function extensions by those new cases that match parameters. We call this 
property the regular world assumption and it guides our design of a calculus of 
partial recursive functions for higher-order encodings which we call ■ That 
can be restricted to a meta-logic for LF via a realizability interpretation 
of proofs is an entirely orthogonal issue and is studied in another forthcoming 
paper. 

This paper is organized as follows. In Section 2 we discuss the technique of 
higher-order representation, demonstrate its advantages, and compare it to al- 
ternative representation techniques. In Section 3 we motivate and analyze the 
regular world assumption by the means of a function that embeds natural de- 
duction derivations into the sequent calculus. We then describe the type system 
1~^ in Section 4, whose elements are partial functions that range over possi- 
bly open LF objects. 7^’s operational semantics is specified in Section 5, and 
its meta-theory is summarized in Section 6. A sample application is given in 
Section 7. 



2 Higher-Order Encodings 

As a motivating example, consider the standard formulation of the calculus of 
natural deductions [Gen35] for the implicational fragment of propositional logic 
depicted in Figure 1. The rules define the judgment “G is true'' {F \- G). We 
take the freedom to assign names to hypotheses F ::= • | F,u :: G. There 
are many possible solutions of how to represent natural deduction derivations 
formally and we discuss some of them below. We argue that the representation 
in a dependently typed, higher-order type theory, such as LF [HHP93] is the 
most natural. We write for the representation function and begin with the 
straightforward representation of formulas. 




Recursion for Higher-Order Encodings 587 



u 
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r,u Gii- G2 r h Gi D G2 r\-Gi 

D 1“ D E 

-T h Gi D G2 r h G2 

Fig. 1. Natural deduction calculus 



o : type 

’~Gi D G 2 ~' = '"Gi"' imp ’~G 2 ~' imp : o — >■ o — >■ o 

‘imp’ is used as an infix operator throughout this paper. In LF, judgments are 
represented as types, and derivations as objects. Following standard practice 
[Pfe91] we omit all implicit 7T-abstractions from types and we take /3r;-conversion 
as the notion of definitional equality [Coq91]. 

Example 1 (Representation of Figure 1 in LF). 

nd : o — >■ type 

impi : (nd Gi — >■ nd G 2 ) — f nd (Gi imp G 2 ) 
impe : nd (Gi imp G 2 ) — f nd Gi — >■ nd G 2 

G h A is a hypothetical judgment since the premiss to ‘D F in Figure 1 
discharges the hypothesis u. A good choice for the representation of F is the 
LF context itself, because then all (admissible) structural rules including ‘u’, 
weakening, contraction, and exchange, are inherited from LF and need not to 
be encoded individually. Consequently, hypothetical judgments are represented 
as functions, and thus the premiss of D I corresponds to an object of type 
(nd Gi — >■ nd G 2 ). The substitution operation for hypotheses may be encoded 
as a simple LF /3-redex. The representation of natural deduction derivations in 
LF by ‘impi’ and ‘impe’ is adequate, i.e. they are in one-to-one correspondence 
with their canonical forms [HHP93]. 

Despite its elegance, the encoding of the natural deduction calculus in LF has 
one fundamental drawback. It is not inductive in the sense of [PM93]. ‘nd Gf 
in the type of ‘impi’ violates the positivity condition, and thus recursive func- 
tions cannot be defined by cases on an argument of type ‘nd G’. It is the main 
contribution of this paper to resolve this seeming contradiction. 

There are many other logical frameworks that represent natural deductions 
while supporting function definition by cases, however many of these encodings 
are less immediate. For example, the encoding from Example 1 can be turned 
into an inductive type by a technique proposed by Despeyroux et al. [DFH95]. 
This technique enforces the positivity condition by replacing the negative occur- 
rence ‘nd G\ in ‘impi’ by a new parameter type ‘var G\ at the expense of the 
advantages that come with higher-order abstract syntax. Structural rules and 
substitution are no longer directly supported. 

The modal A-calculus [DPS97,DL99,Hof99] supports true higher-order encod- 
ings and function definition by iteration. Its version of iteration however is quite 
rigid and sometimes poses problems when applying weakening and substitution 
lemmas or using dependent types. 




588 



Carsten Schurmann 



The programming language FreshML [GP99,PG00] imports higher-order ab- 
stract syntax into a functional programming setting and takes care of a-renaming 
internally. However, neither dependent types nor substitutions are directly sup- 
ported by FreshML, and must therefore be programmed explicitly. 

The meta-logic is a direct predecessor of this work [SP98]. It supports 
higher-order encodings, but it does not allow recursion to traverse A-binders. 
Gonsequently, Ad 2 ’s expressiveness is limited and those functions that motivate 
this work are simply not expressible. 

The calculi of partial inductive definitions [Hal87] and definitional reflec- 
tion [SH93] are purely logical systems. Even when interpreted functionally, their 
proofs require all arguments to be closed and recursion must not traverse A- 
binders. Figure 1 can also be encoded in a logical framework implemented in the 
meta-logic FO\^^ [MM97]. FOX^^ , however, is a sequent calculus, and does 
not support functions to range over those encodings. 

Miller [Mil90] suggests to extend ML datatypes by a parameter mechanism 
to support higher-order abstract syntax. New parameters can be dynamically 
generated and (recursive) function dynamically extended by new cases, however 
dependent types are not supported. 

The representation of natural derivations in Example 1 is concise and elegant 
and it leverages off properties inherent to LF. In this paper we design a type 
system of partial recursive functions that range over higher-order encodings. 
The functions are definable by case analysis and recursion. 



3 The Regular World Assumption 



As running example we use a mapping of natural deduction derivations into 
derivations of the sequent calculus. Although we present only one connective, 
the example scales to full first-order logic. The judgment for sequent deriva- 
tions is F G, its rules and its adequate encoding are depicted in Figure 2 
[Pfe95]. Hypotheses to the left of the sequent symbol ‘=>’ are encoded using 
‘hyp’ in order to distinguish them from the conclusion to the right which is 
encoded using ‘cone’. Only by representing them as two separate type families 
we can guarantee the adequacy of the encoding which also relies on the fact 
that the hard-wired structural properties of hypotheses such as weakening and 
contraction are implicit in the encoding in LF. 

Gentzen has shown in [Gen35] that such a mapping from natural deductions 
T> into sequent derivations £ exists. This algorithm is depicted in the left column 
of Figure 3, and we refer to it as Gentzen’s algorithm. Because natural deductions 
and sequent derivations are represented differently, we let /!„ = ui :: G\, ... ,u„ :: 
Gn be the natural deduction context, and F^ = hi :: Gi, . . . , :: G„ be the 

sequent context. 

Intuitively, Gentzen’s algorithm should be expressible as a recursive function 
that maps natural deduction derivations to sequent derivations '~£~' where 
'~V~' and '~£~' satisfy the invariant: 
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r ■ 



Gi 



r,h :: Gi 



G 2 



r, h :: Gi 



G 2 



- init 



r,h :: G ^ G 

r,h :: GiDG2 



■ cut 



r ^ G 2 r ^ Gi D G 2 

Gi r,h Gi D G 2 ,h 2 :: G 2 ^ G 3 



■ DR" 



r,hr. Gi D G 2 



■ DL "2 



hyp : o type 
cone : o — >■ type 

init : hyp G — >■ cone G 

cut : cone Gi — >■ (hyp Gi — >■ cone G2) — >■ cone G2 

impR : (hyp Gi — >■ cone G2) — >■ cone (Gi imp G2) 

impL : cone Gi — >■ (hyp G2 — >■ cone G3) — >■ (hyp (Gi imp G2) — >■ cone G3) 
Fig. 2 . Sequent Calculus and its Representation in LF 



Input; A derivation T> oi P G 

Case 1 : I> = ^ 

u :: G h G 

Compute f of P}^, h :: G G by init 

Return S. 

T>' 

Pu,uy. Gi h G2 

Case 2 : D = ^ 

b Gi D G2 

Compute s' of P}^, h G;]^ G2 by recursion on T>' 

Compute S of Py^ G\ D G2 by rule DR on S' 

Return E 

Dl T>2 

^ Gi D G2 I- Gi 

Case 3 : X) = ^ ^ 

Pu b G2 

Compute of Gj^ D G2 by recursion on T>-y 

Compute S2 of G^ by recursion on T>2 

Compute ^2 of Py^, h :: G^ D G2 G\ 

by weakening on S2 

Compute £3 of Pyi, h :: Gi_ D G2i ^2 •' G2 ~ I* G2 

by init 

Compute of Py^y ^ g G^_ ^ G2 l - G2 

by D L on £2 £tnd f 3 
Compute € of => G2 by cut on S-y and €4 

Return S. 

Fig. 3 . Gentzen’i 



fun ndseq u = (init h) 

I ndseq (impi D') = 
let 

new u : nd Gi , h : hyp Gi 
val {E h) — ndseq {D' u) 
in 

(impR (Ah. E h)) 
end 

I ndseq (impe Di D2) = 
let 

val (El) — ndseq D\ 
val (E2) = ndseq D2 
in 

(cut E\ (Xhi . impL E2 
(\h2- init /12) hi)) 

end 

algorithm 



ui : nd . . . , u„ : nd ^G„“' : nd ^G“' 

hi : hyp ^Gi h„ : hyp ^G„“' : cone ^G“' 

Here, the function must accommodate the fact that ^T>~' and are open objects 
since the LF contexts to the left of the F symbols are not empty, and therefore 
violate the so called closed world assumption. Non-standard is also the recursive 
call in Case 2 which extends the natural deduction context to Eu,u :: Gi. This 
extension corresponds to the traversal of the A-binder ‘u : in LF. 

The main contribution of this paper is a characterization of partial recursive 
functions such as the one described above. To address this situation we propose 
to change the status quo of the closed world assumption and generalize it to 
the regular world assumption. If we accept this new assumption, arguments to 
recursive functions do not need to be closed. They may be open in a parameter 
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context which conforms to an a priori specified regular grammar, and it is this 
restriction which makes the construction work. 

The form of the regular world for Gentzen’s algorithm is best explained by 
interpreting the invariant associated with the algorithm. It says, that and Fh 
may only differ in names, but not in length. Thus, the grammar that defines the 
regular world for our example results from interleaving and Fh as follows: 

Ml : nd '“Gi"', hi : hyp '“Gi"', . . . , : nd : hyp ’~Gn~' 

Now the Mi’s and the hi’s always come in pairs and therefore, any valid world 
can be expressed by the following grammar that defines the regular world <P. 

<P ::= ■ \ <P,u : nd G,h : hyp G 

A world <h is a finite LF context that results from repeatedly unfolding the 
definition of <P. With each unfolding operation, a new parameter block is added 
to the world. This particular definition of ‘P is custom-designed to fit Gentzen’s 
algorithm, recursive functions from other problem domains however will require 
different <?’s. The results presented in this paper are not linked to one particular 
definition of F, they are valid for any <d>. Another example is given in Section 7. 

In this world <h>, there exists a recursive function ndseq which is depicted (in 
informal syntax) in the right column of Figure 3. Parallel to the informal case 
analysis performed on T> in Gentzen’s algorithm, ndseq is defined by cases. 

The first case of ndseq formalizes Case 1. It applies in a situation where 
^T>~' is bound to some parameter u in <P. Automatically, by invariant, there will 
also be a parameter h (the sibling of m). We use u and h as variables that range 
exclusively over parameters from the regular world F. 

The second case of ndseq formalizes Case 2. The argument D' = ^T>'^ is 
of functional type ‘nd G\ — >■ nd G 2 ’, and therefore ndseq must traverse the 
A-binder before it recurses. It does so by extending the regular world by a new 
parameter block (indicated by the new-notation) m : nd Gi,ft. : hyp Gi. The 
result of the recursive call on {D' u) yields a sequent derivation (E' h) which is 
parametric in h. One more application of ‘impR’ forms the return object. 

The third case formalizes Case 3 and simply returns an appropriate LF 
object after recursing on Di and £> 2 . Note, that in constructing this result object 
all appeals to weakening lemmas are automatic since they are inherited from 
LF. In other examples, appeals to substitution lemmas are formalized equally 
elegantly. 

The regular world assumption provides many new concepts and advantages. 
It generalizes recursive functions to higher-order encodings without an explicit 
positivity condition [PM93]. It permits arguments passed to recursive functions 
to be open. It gives recursive calls the freedom to traverse A-binders. It allows 
recursive function to define cases for parameters. It is elegant in that recursive 
functions can be formulated concisely and directly which are not so easy to 
write in modal A-calculi [DPS97,DL99,Hof99]. And finally, it is compatible with 
dependent types. 
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4 Type System 7^ 

We begin now with the formal presentation of the type system T'J' which sup- 
ports function definition by recursion as used above for the definition of Gentzen’s 
algorithm ndseq. A detailed presentation of 7^ and its meta-theory can be 
found in the author’s thesis [SchOO]. 7^’s recursive functions range over higher- 
order LF objects and can therefore take advantage of all properties which are 
associated with hypothetical judgments, such as, substitutions, weakening, con- 
traction, and exchange. 

7^’s type system is simple. It provides a dependent function type V, a de- 
pendent product type 3, and a unit type T. 7^’s function types can contain w 
many alternations of V and 3 types. The type constructors of T'J' are inspired 
by logic, however, for the purpose of this paper we view them solely as type 
constructors, ndseq, for example, has type VG : o.MD : nd G. 3E : cone G. T. 

That ndseq in Figure 3 expects only one argument is due to the fact that 
the first argument can be inferred from the second, and is therefore omitted 
when using informal syntax, ndseq’s type states that in any regular world <P, 
for every valid formula G : o and for every valid natural deduction derivation 
D F I? : nd G), the execution of ndseq applied to G and D might or might 
not terminate normally. However, if it terminates normally, then ndseq has 
computed an instance of type 3E : cone G. T and the left projection yields a 
valid LF object representing a sequent derivation in F E cone G). For 

the purpose of this paper, we assume the specification of to be fixed, as we 
do, for example, with the specification of the LF signature. V and 3 types are 
designed to bind variables whose structure can be analyzed by case analysis. 

types: E ::= \!x \ A. E \ 3x \ A. E \ ~V 

Here, A ranges over LF types [HHP93]. The 7^ type system can be easily 
extended by product types Ex A E^ which we omit because of space constraints. 

4.1 Subordination 

Recursive functions in are executed in regular worlds. During execution, they 
may extend the current world by new parameters. Thus, the world grows with 
each traversal of a A-binder before a recursive call and it shrinks upon return 
when parameters are discharged. In general, a returned object may need not 
depend on all but some of the parameters to be discharged. In the second case 
of ndseq, for example, executing {D' u) yields an E which may only depend on 
h but not on u. 

That E does not depend on u is justified by the way sequent derivations 
are constructed. They are simply not defined in terms of natural deduction 
derivations. Virga [Vir99] proposed a technique that decides if a parameter can 
possibly occur in an object of a given type or not. His procedure inspects the LF 
signature and derives the so called “subordination relation” . A type A is said to 
be subordinate to A' (A -< A'), if objects of type A may occur within objects of 
type A'. 
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Lemma 1 (Strengthen). If F,x : A\- M : A' and A A' then F \- M : A'. 

Indeed, because ‘hyp’ ^ ‘cone’, and ‘nd’ 7^ ‘cone’ it follows from Lemma 1 that 
E cannot depend on u : nd Gi, and thus E : hyp Gi — >■ cone G2. In general, 
if a return object has type A2 before discharging parameters, then it has type 
‘abs F.Af after the discharge takes place. 

Definition 1 (Abstraction). 

[A2 ifF = - 

abs F.A2= < abs F'. A2 if T = r', x : Ai and Ai 7^ A2 

[ Fix : Ai. (abs F' . A2) if F = F', x : Ai and if Ai -< A2 

In the example ‘hyp Gi — >■ cone G2 = abs {u : nd Gi,h : hyp Gi). (cone G2)’ is 
the type of E after parameter discharge. Lemma 1 guarantees that no parameters 
escape their scope. Similarly, on the object level, abstraction must bind each 
parameter it discharges if there is any chance that the parameter occurs free in 
the object. 

Definition 2 (Raising). Let M be of type A2. 

(M ifF=- 

raise F.M = I raise F' . M if F = F' ,x : A\ and Ai 7^ A2 

[ Aa; : Ai. (raise F' . M) if F = F',x : Ai and Ai A2 

By a simple inductive argument we can show that this design is sound. 

Lemma 2 (Soundness). 

F If F,F' \- A : type then F h abs F' . A : type. 

2 . If F,F' \- M : A then F h raise F'. M : abs F' . A. 

4.2 The Core of 7”“*" 

Tff’s functions use two kinds of variable binding, and their use is demonstrated 
by ndseq in Figure 3. First, there are variables x that bind arbitrary LF objects 
M valid in any well-formed regular world <P. These variables are used, for exam- 
ple, in the patterns of the second and third case. In general, they are bound by 
the V and 3 quantifiers and any instantiation may be analyzed by cases. 

Second, there are parameter variables u and h as used in the first case of 
ndseq. They are designed exclusively to range over parameter blocks. In this 
sense, they behave more like constructors than variables, and yet, they are vari- 
ables because they bind concrete parameter occurrences declared in <I> at run- 
time. The fact that parameters are always organized in blocks is also reflected 
in the formal system of Iff. Parameter variables never occur alone, they only 
occur as compound variable blocks p = (u: nd G,h: hyp G). Variable blocks can 
only range over parameter blocks declared in <I>, and binding is defined compo- 
nentwise. Although our informal syntax of Tff functions used in Figure 3 hides 
variable blocks, they are important in the formal exposition. 
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In our example, is defined in terms of one block, but in the general case 
it can be defined in terms of several [SchOO]. We distinguish each of them by 
labels, and assign the label L to the one block in our example. 

::= ■ \ <P, {u:ndG,h: hyp G)^ 

Variable blocks are indexed by the appropriate label L. is a context that 
denotes not only the set of free LF-variables, but also what is know about the 
regular world. 

Object context: ::=■ \W,x \ A \ 'I', 

The context D : nd G\, {u : nd G2,h : hyp G2)^, for example, expresses that D 
may be instantiated with an object of type ‘nd Gi’, valid in a regular world 
and that {u : nd G2, h : hyp G2)^ is bound to one parameter block in this world. 
The validity judgments for contexts extend the standard definition of valid LF 
contexts in a straightforward way. 

is a two level system, where x and x are variables ranging over LF objects 
and parameters, respectively. Variables on the meta-level are separate, they are 
called meta-variahles x and range over 7 j^-objects of type F. The x’s form a 
meta-context A on the meta-level. 

Meta-context: A ::= • | Z\,x G F 

The syntax we have used to present ndseq in Figure 3 contains syntactic 
sugar in order to make this material accessible. Its desugared version (given 
in the right column of Figure 6 ) however is less intuitive and requires several 
mutually dependent syntactic categories including programs and declarations. 
These programs and declarations resemble the proof terms of an intuitionistic 
sequent calculus with the important addition of the vp^ . D declaration, which - 
operationally speaking - extends the world by new parameters before evaluating 
D. 



Programs: P x \ Ax : A. P \ {M, F) | () | let D in P 

Declarations: D ::= ■ \ n p^. D \ :s. G F = P M , D \ {x : A, y € F) = P, D 

The syntactic category of programs is extended below to accommodate case anal- 
ysis and recursion. For the sake of brevity we omit the straightforward desugaring 
algorithm that maps our informal syntax into Tj*". 

Programs and declarations give rise to the definition of two typing judgments. 
We write F; A \- P G F if program P is of type F and for declarations we write 
F; A \- D G F' . From an operational point of view, all variable declarations in 
F' will be instantiated and returned after D is computed. We use ‘G’ as typing 
symbol for TL*" in order to clearly distinguish it from the for LF. 

Typing programs: F; A\- P G F 

Typing declarations: F; A\- D G F' 

The typing rules for these judgments are mutually dependent and are given 
in Figure 4. We omit the validity judgment for F from the rules axvar, PT, and 




594 



Carsten Schurmann 



(x e F) in A 
axvar 



PT 



F;AhDe'f' F,F';AhPeF 
sel 



1';AhxeF 1';Ah()eT F; A h let D in P £ F 

F,x:A;AhPeF F h M : A F; A h P £ F[M/x] 

PV P3 

F; A h Ax : A. P £ Vx : A. F F; A h (M, P) £ Ex : A. F 

F, ; A h D £ F' abs p. F' = F" 

D- 

F\A1--£- F\ A\- V p^ . D £ f" 

F-A\-P£\/x-.A.F F\-M:A F\ A,y £ F[M / x]\- D £ F' 

DV 

F-,A£{y£ F[M/x\ = P M,D) £F' 

F: A P £ Ex : A. F F,x : A-, A,y £ F D £ F' 

D3 

F;Ah{{x-.A,y£F) = P, D) £ (x ■. A, F') 

Fig. 4. Typing Rules of the Core of Tj' 



D-. The premiss 'F \- M : A of the rules P3 and DV is the standard LF typing 
judgment. It allows M to depend on free variables and parameters declared in 
F. The Dp rule specifies how new parameter blocks are inserted into the regular 
world and how they are discharged thereafter. The premiss ‘abs p.F' = F"' of 
the Dp rule shifts all types in F' componentwise (see Definition 1) . 

4.3 Case Analysis and Recursion 

The design of Tj~’s case analysis mechanism is non-standard. Because of de- 
pendencies, variables can occur non-linear ly within the types of other variables. 
Thus case analysis is not a local operation that effects only one variable but can 
simultaneously effect others as well. In Gentzen’s algorithm (Figure 3), for ex- 
ample, matching against the declaration D determines the form of the formula 
G in the ‘impi’-case. Therefore, case analysis must simultaneously distinguish 
cases on all variables declared in F. 

To this effect, our design employs a substitution (or environment) rj as case 
subject. It enables us to consider cases over all objects stored in rj simultaneously. 
Similarly, patterns ^ that trigger each case are also substitutions, and thus the 
matching problem “if -0 matches rp reduces to the question “if 0 is a more 
general substitution than 77 ” . We define that tp matches rj iff there exists an 77 ', 
such that rj = tp o rj' . 

Environments rj and patterns tp are substitutions with domain F. They sub- 
stitute objects M for variables x and variable blocks p' for variable blocks p. We 
write F' \- xp & F a xp is valid. 

Object-substitutions: xp ::= ■ \ xp,M/x \ xp,p' /p 

The choice of a substitution rj as case subject has another advantage namely 
that each branch remains invariant under substitution application. If substi- 
tution a is applied to a case program, it is absorbed by simple substitution 
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!f';Zi,xGFI-Pe-F 

fix 

'I'-. A fj,x e F. p e F 

P' h G P 

base 

F:A\- ■ e F 



F h ri e F' F'-,A'hO£F 

case 

F; A'[r]] h case ?? of f? G F[rj] 

F-AhQsF F'-, A[iI)] h P G F[ij>] 

F-, A O, {F' > -Ip P) e F 



alt 



Fig. 5. Case Analysis and Recursion in 



fun ndseq u = (init h) 

I ndseq (impi D') = 

let 

new M : nd Gi , h : hyp Gi 
val {E h) = ndseq [D' u) 
in 

(impR (Ah. E h)) 
end 

I ndseq (impe Di D2) = 

let 

val (El) = ndseq Di 
val (E 2 ) = ndseq D 2 
in 

(cut El (Ahi. impL E2 
(Ah,2. init h,2) hi)) 

end 



^ndseq. AG : o. AD ; nd G. 
case (G/G, D/D) 
of (G : o, (u : nd G, /i ; hyp G)^) 

> (G/G, n/D) (init h) 

I (Gi : o, Go : o, D' : nd Gi -»• nd Go) 
>(Gi imp G2/G, 

impi (A-u : nd G^. D' u) / D) 
I— j- let 

1/ (u i nd Gi.i i hyp Gi)-'". 
xq = ndseq G2 , 

= XQ 

(E,_) =xi,- 
in (impR (Ah. E h)) 

I (Gi : o, G2 : o, Di ; nd (Gi imp G2), 
D2 : nd Gi) 

> (G2/G, impe D2/D) 

I— j- let 

XQ = ndseq (G^ imp G2), 

XI = XQ Dl , 

(El , _) = XI , 

X2 = ndseq (Gi), 

X3 = X2 D2, 

(E2, -) = X3, • 
in (cut El (Ah-i . impL E2 
(Ah.2- init h.2) hi))) 

^ VG : o. VD ; nd G. 3 E : cone G. T 



Fig. 6. Gentzen’s algorithm in 7/" 



composition. The new case subject is rj o a. Each individual case is therefore 
closed and defined in terms of the pattern ip, its co-domain 'E, and a body P. 
also provides a recursion operator pi with the standard static semantics. 

Programs: P ::= . . . \ case 77 of | /ix G F. P 
Cases: Q ::= ■ \ {Q \ {F t> ip P)) 

The rules defining case analysis and recursion can be found in Figure 5. 
The premisses of the case rule ensure that the subject of the case program is 
well-typed as well as Q. The latter requires a new judgment: h Q G F. 

For the sake of brevity, we have omitted a strictness side condition on alt, that 
guarantees that matching against ip instantiates all variables declared in F' . 

Figure 6 shows the definition of ndseq (from Figure 3) on the left in informal 
syntax and on the right in syntax. For improved readability we omit the type 
annotations from declarations. 

5 Operational Semantics of T'J~ 

The rules defining the operational semantics are constructed in such a way, 
that once evaluation is invoked in a regular world F its result is well-defined in 
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ev.lam 

^ \- Ax : A. P ^ Ax \ A. P 



^ \- D ^ Y) ^ h P[r/] ^ V 
ev.let 



^ h let D in P ^ y 



^ h p ^ y 

ev_inx 

(M, P) ^ (M,V) 

^ h P[^ix G F. P/x] ^ y 

ev.rec 

h /IX ^ F. P ^ V 

4 >,p^ h D 



ev_unit 

■PhO^O 

\- r} f2 ^ V 

ev.case 

0 h case r) oi Q V 

¥ T)' raise p. rj' = r]" 



ev .empty ev.new 

<f h • ^ • P u . D ^ p" 

P\-P^{M,V) P\- D[M/x-V/y] ^ p' 

ev^plit 

^ \- {x : A,y ^ F) = P, D ^ M jx, rj' 

Ph P ^ Ax ■. A.P' P\- P'[M/x]^V P h D[V/y] n' 
ev_app 

P\-yeF=PM,D^T]' 



P h P[ri'] ■— tp o p' = p p ri ~ O V 

ev_yes 

P p ^ (Q, (P t> Ip ^ P)) ^ V P rj r-. (n, (P > Ip ^ P)) ^ V 

Fig. 7. Operational semantics of Tj' 



ev_no 



exactly the same world. During evaluation, new parameters can be dynamically 
introduced and discharged. The operational semantics is call- by- value and it 
relates programs to be executed with the result of their computation. Altogether, 
there are three evaluations judgments for programs, declarations, and cases, 
respectively, each indexed by the world <P. 

Program evaluation: <P \~ P ^ V 

Declarations evaluation: <P \~ D ^ rj 
Selection: ^ h 77 ~ 17 ^ P 

The first judgment relates P with the result of its evaluation. The second 
returns a list of values in the form of an environment instantiating all variables 
in W (the type of D) . And the third judgment selects a case from 17 with pattern 
■ip where r] matches ip and evaluates the respective body to V. 

Values: P ::= () | (M, V) \ Ax : A. P 

The rules defining the operational semantics are given in Figure 7. We com- 
ment only on the non-standard rule ev_new since it requires all objects summa- 
rized in r]' to be abstracted to their new abstract types. This is established by a 
straightforward generalization of abstraction to substitutions ‘raise p-rj'’. 

6 Meta Theory 

is a type system of partial recursive functions. It is defined with respect 
to the regular world assumption. If we assume that only well-typed programs. 
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declarations, or cases are executed, we can show that the operational semantics 
is type preserving. See [SchOO] for a proof. 

Theorem 1 (Type- preservation). 

1. If^^P^Vand<P;-^PGF then ^ V G F 

2. // <? h D ? 7 ; and <P; ■ h D G F then <P \- -,r] : F,F 

3. IfF\~rir^f2'^V and F :: [~ r] : F and F; ■ \- Q G F then F;- \- V G F[r]] 

Recursive functions in T'J' are partial. Their execution does not always termi- 
nate nor does it always make progress. For example, the execution of ‘/ix G F. x’ 
is non-terminating, the execution of ‘case 77 of •’ gets always stuck for any envi- 
ronment rj. 

7 Applications 

In our experience many algorithms related to programming languages and logics 
can be directly represented in . In the setting of first-order intuitionistic logic, 
for example, we have encoded an algorithm that transforms sequent derivations 
with cut into sequent derivations without cut [Pfe95] . In the interest of space, we 
can only give the definition of the regular world and the types of the two recursive 
functions. The sequent calculus for full first-order intuitionistic logic extends 
Figure 2 with additional left and right rules for the other connectives. Let ‘i’ be 
the LF type for terms, and F a regular world of the form 

F ::= ■ \ F, {u : hyp \F,{a: \F,{p: . 

The block labeled Li covers extensions of the world by new hypotheses, L 2 by 
new term parameters, and L 3 by new formulas. We write ‘conc“’ for the cut- 
free sequent calculus, ca and ce, which implement the admissibility and the 
elimination of cut 

ca G VG : o. Vff : o. VDi : conc“ FI. VD 2 : hyp FI -G- conc“ G. 3D' : conc“ G. T 
ce G VG : o. VD : cone G. 3D' : conc~ G. T 

have direct and elegant implementations in T'J' . 

8 Conclusion 

We have presented a type system whose partial recursive functions range 
over (possibly higher-order) objects and are defined by cases and recursion. Most 
importantly, 7^ allows recursive calls to traverse A-binders, and function defi- 
nitions to match parameters. In addition T'J' supports dependent types and its 
functions can take direct advantage of all properties that are associated with 
the representation in LF, e.g. weakening, contraction, and substitution. These 
features make T'J' an excellent candidate for the formalization of algorithms over 
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deductive systems that are encoded in the logical framework LF [HHP93] via 
higher-order abstract syntax and hypothetical judgments. 

7^’s concept of partial recursive functions is justified on the basis of the 
regular world assumption. It successfully resolves the tension between higher- 
order encodings and function definition by cases and recursion. Once specified, 
the form of regular worlds limits the ways that parameters are introduced during 
execution, and accounts for the exact form of a parameter block. Conversion 
procedures from one logic to another, bracket abstraction, and normalization 
via parallel reduction are only few of the examples that can be directly and 
cleanly expressed as recursive functions in . 
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Abstract. A generalization of positive inductive and coinductive types 
to monotone inductive and coinductive constructors of rank 1 and rank 2 
is described. The motivation is taken from initial algebras and final coal- 
gebras in a functor category and the Curry-Howard-correspondence. The 
definition of the system as a A-calculus requires an appropriate defini- 
tion of monotonicity to overcome subtle problems, most notably to en- 
sure that the (co-) inductive constructors introduced via monotonicity of 
the underlying constructor of rank 2 are also monotone as constructors 
of rank 1. The problem is solved, strong normalization shown, and the 
notion proven to be wide enough to cover even highly complex datatypes. 



1 Introduction 

Only in the last couple of years, the functional programming community has be- 
come interested in heterogeneous datatypes, i.e., polymorphic datatypes whose 
constructors relate different instances of the datatype - unlike the lists where 
cons takes a list of some type and produces a list of the same type. One might 
wonder whether there are interesting examples. It is by now well-known that de 
Bruijn notation indeed may be represented as a nested datatype [3, 2]. However, 
the question arose whether there are also examples taken from “the outside 
world”. In [12], a nested datatype is shown which represents arbitrary square 
matrices over some type with elements accessible in logarithmic time. It uses 
type constructors of rank 2. On the theoretical side, [1] studies even coinductive 
type constructors of rank 2 with considerable nesting. 

The present paper intends to give a thoroughly justified general framework 
for the description of terminating algorithms involving inductive and coinductive 
constructors of rank 2. It tries to be as general as possible while not departing 
from higher-order parametric polymorphism which - as a logical system - is 
higher-order intuitionistic propositional logic, expressed in natural deduction 
style. This (so-called Curry-Howard-)correspondence allows to insert a logical 
understanding into the system design: Inductive constructors fiFT and uF!F are 
not restricted to some kind of positivity, i.e., to requirements that free occur- 
rences oi F in F are only allowed an even number to the left of — >■. Positivity 
is replaced by proven monotonicity: a term inhabiting the type expressing that 
XFF is monotone. For rank 1 (inductive types) this has been studied at length 
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in [10] - with the obvious notion of monotonicity expressible in system F. The 
main technical contribution is the definition of rank 2 monotonicity which will 
be justified at many places in this article. 

The next section shortly reviews system F“, the long section 3 proposes and 
discusses the extension of F“ to the system MICC^ of monotonone inductive and 
coinductive constructors of rank 1 and rank 2. One of the most crucial properties 
is the subject of section 4: jiFT and vFT are monotone if \FF is. This result is 
not needed, however, for the reduction-preserving embedding into F“, shown in 
section 5. MICC^’s strong normalization follows from that of F“. Section 6 gives 
the idea of an extension even to primitive recursion of rank 2 while many closure 
properties of monotone constructors are shown in section 7. A few examples are 
considered in section 8. 

2 System F‘^ 

Girard’s system of higher-order parametric polymorphism [7] is an extension 
of system F where the set of types is extended to a simply- “typed” A-calculus 
of constructors. The “types” of the constructors are called kinds and are built 
from the base kind * (the universe of types) and the binary intended to form 
function kinds. We denote kinds by k (possibly with indices). The constructors all 
have a kind and are built from kinded constructor variables as shown below. We 
use the following conventions: Constructor variables are denoted by X,Y, Z, . . . 
and constructors by X ,y, Z, . . constructors of kind * are called types, and 
constructor variables of kind * are (consequently) called type variables. They are 
denoted by a, /3, 7 , . . . and types by p, cr, r, . . . The phrase “X is a constructor 
of kind k” will be shortened to X : k, later also with superscript, i. e., X'^. The 
constructors are given inductively by: 

— : K. 

— If X : K 2 then XX^^X : m ^ K 2 - 

— If A : Ki K2 and y : ki then Xy : K 2 - 

— p ^ a : p X a : p + a : 'iX’^p : *. 

Let =p be the (decidable) congruence closure of (AA'^i A”2)y"i =p X[X := y]. 
We identify constructors which are equal w. r. t. =p. 

Terms are built from typed variables and have a type (term variables are 
denoted x, y, z, u, v, f and terms The phrase “r is a term of type p” 

will be shortened to r : p, later also with superscript, i. e., r^): 

— p. 

— If r : p then AX'^r : VA”p, provided X does not occur free in the types of 
the free term variables of r. 

— If r : cr then Xx^r : p ^ a. 

— If r : p and s : a then (r, s) : p x a. 

— If r : yX^p then rX^ : p[X := X]. 

— If r : p —> a and s : p then rs : a. 

— If r \ p X a then rL : p and rR : cr. 




602 



Ralph Matthes 



Finally, /3-reduction t> on terms is defined as the term closure of the following 
rules: {AX'^r)X \> r[X := X], (Ax^r)s > r[x := s], (r, s)L [> r and (r, s)R [> s. 

Without being specific, we also assume to have term rules and /3-reduction 
rules for the sum types p + a (those rules will not be used in the sequel since 
proofs pertaining to them had to be omitted). 

=1> for kinds and — >■ for types shall associate to the right, while constructor 
application and term application are considered to be parenthesized to the left. 
The rank of a kind is defined as expected: 

rk(*) := 0 

rk(Ki K 2 ) := max(rk(Ki) -|- l,rk(«: 2 )) 

The rank of a constructor is defined to be the rank of its kind. 

3 Definition of System MICC^ 

System F“ is extended by monotone inductive and coinductive constructors of 
rank 1 and rank 2, hence the name MICC^. 

Constructor variables of kind * * are denoted by F,G, H, . . . and construc- 
tors of kind * ^ * by . . . 

Define the abbreviation T < Q \= 'ia.Ta — >■ Qa. We will only need mono- 
tonicity for the “pure” kinds * * and (*=^*)=j>*=j>*of rank 1 and 2, 

respectively. Monotonicity of constructors can and will simply be expressed by 
the definition of the following types (hence T mon and X mon are nothing but 
abbreviations for certain types): 

Pf*^* mon := Vo;V/3.(a — >■ /3) — >■ Ta — >■ 

T(*^*)^*^* mon := (yP.F mon XFmon'j x 

(yF\fG.F <G^ (F’mon -o XF < XG) x (Gmon -o XF < XG)j 

There is no doubt that for rank 1 this is the expected and only reasonable 
definition. In contrast to that, there is a lot of freedom in giving a monotonicity 
definition for rank 2. Our definition is designed to meet the following criteria: 

1 . If F occurs only “positively” in some T then \FT mon should be inhabited 
by one and only one “canonical” term. 

2. Iteration and coiteration should be driven by the same monotonicity wit- 
nesses. 

3. If \FT mon is inhabited then also (pFF)*^* mon and {vFF)*^* mon should 
be inhabited in a “canonical” way. 

However, the definition is slightly blown up in comparison with the following - 
intuitively isomorphic - possibility:^ 

^VF.Fmon - o XFmox^ x (WF^G-F < G — >■ (Fmon-|-Gmon) -o XF < XG^ 

^ Clearly, the naive definition of monotonicity would have asserted F mon x G mon 
instead of F mon-|-Gmon. 
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Both definitions are intuitively isomorphic since, in general, + P 2 cr and 
(pi — >■ cr) X (p 2 — >■ O') are. However, in applications we would need to refer to full 
extensional equality for sum types (even beyond permutative conversions) which 
is still decidable [6] but difficult to treat since it leaves the realm of rewriting. 
Since our focus is on intensional equality as expressed by term rewriting, the 
slightly less elegant definition had to be made. 

First, we extend system F“ by monotone inductive constructors of rank 1, 
i. e., inductive types /lap depending on the monotonicity of the constructor Xap 
of rank 1. This is exactly done as for the iterative part of the elimination-based 
system EMIT of monotone inductive types in [10]: For every type p we assume 
the type p,ap in the system of constructors (and that pa binds every free occur- 
rence of a in p).^ The type pap is called a monotone inductive constructor of 
rank 1 (or monotone inductive type) although its formation does not at all rest 
on a monotonicity assumption. This notion is justified since it is the usage of 
those constructors as specified in the term formation rules which constitutes a 
constructor concept. In our case, this is made clear in the introduction rule (cor- 
responding to fold in the functional programming literature) since we introduce 
the type pap by 

m : Aapmon t : p[a := pap] 

r 7~. 

(This rule is - following the standard practice in type theory - to be read as: If 
m is a term of type Aapmon and t is a term of type p[a := pap] then C^apmt 
is a term of type pap. Thus, Q^ap is considered as a binary function symbol.) 

If there is a closed m : Aapmon, we call pap a proven monotone inductive 
constructor of rank 1 (or proven monotone inductive type) and m a monotonicity 
witness of Xap. The type pap is eliminated by an iterative concept: 



r : pap 



s : p[a := 
r^pS : a 



a] ^ a 

— (n-E) 



For s : p[a := <t] — >■ cr define SpS := Xx^°‘'^ .xEpS : pap — >■ a.^ 
The /3-rule of iteration is 



{Qpapmf)EpS \> s[m{pap)a{Sps)tj 

These rules obviously generalize the system of positive inductive types, e.g., 
system 2AJ of Leivant [9] in which pap is only allowed if a only occurs “posi- 
tively” in p. In our language, all those pap are proven monotone inductive types. 
Therefore, the iteration rule for 2AJ simply makes use of those predetermined 
monotonicity witnesses. In [10, 4.2.2 and 5.1.1], the embedding of (a variant of) 

^ Alternatively, one could have assumed a constructor constant /r :(*=>*)=>* of 
rank 2 and set pap := p{Xap). 

® Why don’t we introduce £pS as official syntax for the /i-elimination rule? Because we 
favour natural deduction style as opposed to Hilbert style. For studies on fixed-points 
in A-calculi this seems to be a reasonable choice, see also [15]. 

This is an easy consequence of theorem 3 below. 
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2AJ into the present system is carried out in all details (even with primitive 
recursion instead of iteration only). 

A more categorical motivation (still with fixed monotonicity witnesses) may 
be found in [5]: ^ap may be conceived as a weakly initial Aap-algebra (for rank 2, 
this is carried out below). 

Now we also extend the system by monotone inductive constructors of rank 2, 
i. e., inductive constructors pFT depending on the monotonicity of the construc- 
tor XFT of rank 2. The constructor pFF has kind * *. Hence, as a constructor, 

pFF is of rank 1, but it is called a monotone inductive constructor of rank 2. 
More precisely, we extend the system of constructors by another constructor 
formation rule: If .7^ is a constructor of kind * * then pFF is a constructor of 

kind * ^ and free occurrences of T’ in .F are bound by p,F.^ The constructor 
pFF is called a monotone inductive constructor of rank 2 although again its 
formation does not at all rest on a monotonicity assumption. Since pFF is not a 
type, the introduction and eliminination rules describe how to introduce and how 
to eliminate the types {pFF)p for arbitrary p. We start with the introduction 
rule: 

m : XFF mon t : F[F := pFF]p 
: {pFF)p 

For m : XFF mon define 



Cf,Fprn := .C^ppmx : F[F := pFF] < pFF. 

If there is a closed m : XFF mon, we call pFF a proven monotone inductive 
constructor of rank 2 and m a monotonicity witness of XFFX’ 

The elimination rule (corresponding to an iterator) is: 

r : {pFF)p n : C/mon s : F[F := Q] < Q 

b r 

rEf^ns : yp 

For n : Q mon and s : F[F := G] < G define 

£fj,ns := AaXx^^^^^°" .xE^ns : pFF < G- 



The /3-rule of iteration for rank 2 is 



{Cf^Fpmt)E^ns [> sp 



(^mR{pFF)G{£fj.ns)Rnpt^ 



Some comments are in order. First we collect the information contained in the 
term rules while ignoring the terms themselves. We get the following inference 
rules: 

® Analogous to rank 1, we could have assumed a constant p : ((* => *) *) 

* * of rank 3 and set pFF := p{XFF). 

® In Theorem 1 below it is proved that if pFF is a proven monotone constructor of 
rank 2, then pFF - as a constructor of rank 1 - is monotone (of rank 1), and hence 
pa.{pFF)a becomes a proven monotone inductive constructor of rank 1 which, as a 
constructor, is simply a type, hence of rank 0. 
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AJ^iFmon 
T[F ■= ^iFT] < 



and 



Q mon 



F[F ■.= g]<g 

^iFF<g 






This means that ^FF is a pre-fixed-point of \FF (provided \FF is monotone) 
and that it is less than or equal to any monotone pre- fixed-point g of \FF 
(whose monotonicity is not required this time). In case XFF is monotone, we will 
prove below (see footnote 6) that ^FF is monotone, too, whence fj,FF becomes 
a minimal monotone pre-fixed-point of XFF. Thus, iJ,FF follows the lattice- 
theoretic understanding of inductive definitions. But there are also the terms and 
the term rewrite rule of iteration. Viewing category theory as constructive lattice 
theory, we can justify the iteration rule by reference to the concept of a weakly 
initial algebra as has been done for inductive types in [5], mentioned earlier. 
We will do this only rather sloppily. The “category” consists of the monotone 
constructors of kind * *, the “morphisms” from F to g being the terms of 

type F < g, and the “composition” being the functional composition of terms. 
An “endofunctor” is a monotone XFF, in this situation a “AT’lF-algebra” is a 
monotone g together with a term s : F[F := g] < g. The constructor fiFF now 
turns out to be a weakly'^ initial AFiF-algebra, i. e., p,FF together with is 

a AA.7^-algebra - as expressed by the introduction rule (concerning monotonicity 
of piFF , see footnote 6 once more). And, whenever g and s form a AT’.T^-algebra, 
which amounts to monotonicity of g - witnessed by a term n : g mon - and 
s : F[F := g] < g, then there is the term S^ns which is a morphism from piFF 
to g, such that the following diagram “commutes”: 



F[F := nFF] — ^ ytFF 



F[F:=£,,,na]^ 

F[F := g] 



^g 



The expression F\F := S^j^ns] shall denote the action of the functor XFF on 
the morphism f^ns. The most natural understanding is given by the following 
definition: F[F := £^ns] := mR{pLFF)g{£^ns)Rn.^ Therefore, commutation of 
the diagram means that for any type p and any term t : F[F := p,FF]p, we have 



£^nsp{C^FE£npt) = sp{mR{pLFF)g{£^ns)Rnpt^ . 



Obviously, the left-hand side is /3-equivalent (using only rules already present in 
system F) with the left-hand side of the iteration rule, and the right-hand side 
is that of the iteration rule. Subject reduction will now also be clear, i.e., the 
right-hand side of the iteration rule receives the same type as the left-hand side. 

By dualization, we also introduce monotone coinductive constructors of rank 1 
and rank 2: Let also vap be a type and vFF be a constructor of kind * * (with 

^ Full initiality includes a uniqueness statement and would lead to an extensional 
notion of equality. 

® Notice how our definition of monotonicity for rank 2 allows to avoid the reference 
to the monotonicity of pFF. 
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binding as for ^ap and pFT). The type vap is called a monotone coinductive 
constructor of rank 1 (a monotone coinductive type), and vFT is called a mono- 
tone coinductive constructor of rank 2. The term formation rules pertaining to 
vap are an elimination rule (corresponding to unfold in the functional program- 
ming literature) and a mechanism for coiteration. We start with the elimination 
rule: 

r : vap m : Aapmon 

F ^ 

: p[a := vap\ 

If there is a monotonicity witness of Xap, we call vap a proven monotone coin- 
ductive constructor of rank 1 (or proven monotone coinductive type). Terms of 
type vap are introduced by a coiterative concept: 

s : CT — >■ p[a := cr] t \ a 

r T. 

^i/cxpst . 

For s : cr — >■ p[a := cr] define C^^pS '■= Xx'^ .C^apSx : a — >■ vap. 

The /3-rule of coiteration is 



{Ci,apSt)Ei,m [> ma{vap){C^aps){st) 

Rank 2 is treated analogously. The elimination rule is 

r : {vFF)p m : AFlFmon 
rEj,m : F[F := vFF]p 

For m : XFF mon define 

£i,m := AaXx^''^^'’°‘ .xEuTn : vFF < F[F := vFF]. 

If there is a monotonicity witness of XFF, we call vFF a proven monotone 
coinductive constructor of rank 2. 

The types {vFF)p are introduced via: 

n : Q mon s ■. Q < F[F := G] t : Gp 

G-vFj^nst : {vFF)p ^ ^ 

For n : C/mon and .s : G < F[F := G] define 

CuFj^ns := AaXx^°" .Ci^FFnsx : G < vFF. 



Finally, the /3-rule of coiteration for rank 2 becomes: 

{CvFFnst)Ei,m \> mRG{vFF){Ci,FFns)\-np{spt) 

It is again worth studying these notions in the light of category theory. Firstly, 
the system without terms has the following rules: 



XFF mon 



vFF < F[F := vFF] 



{v-E) 



and 



G mon 



G < F[F := G] 



G < vFF 



(u-I) 
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Hence, vFT is a post-fixed-point of \FT if \FF is monotone and that it is 
greater or equal to any monotone post-fixed-point of \FF (even without the 
assumption of XFF’s monotonicity). Since vFF is also monotone (see theo- 
rem 1), vFF is a maximal monotone post-fixed-point of XFF provided XFF 
is monotone. Therefore, it is appropriate to call vFF a coinductive construc- 
tor. Concerning terms and term rewrite rules, if we again have an endofunctor, 
i.e., a monotone XFF, a “AJ^iF-coalgebra” is a monotone constructor Q (which 
constructively means that we have a term n : Q mon) together with a term 
s : Q < F[F ■= Q], The constructor vFF is a weakly final AT’iF-coalgebra: It 
is a AFiF-coalgebra and for any AFiF-coalgebra, given hy G, n : Qmon and s, 
the term is a morphism from Q to vFF such that the following diagram 

commutes: 



F[F := vFF] vFF 






CuFF'I^S 



■■= G] - — ; g 



This time, the easiest definition of the action of the functor on such a morphism is 
given by F[F := C„ppns] := mRg{i'FF){C„Fj^'ns)Ln since it avoids using vFF's, 
monotonicity. Hence, the possibility to choose whether to use the monotonicity 
of the first or second argument to mR is vital to fulfill criterion 2 in the list on 
page 602. 

Observe that the comparison of the figures displays the duality between fiFF 
and vFF much better than that of the rules of iteration and coiteration. 

This completes the definition of the extension of system F“ by monotone 
inductive and coinductive constructors of rank 1 and rank 2, henceforth called 
system MICC^. (Although the different extensions have been described sepa- 
rately, it is understood that they are meant to be done simultaneously which 
implies, e.g., the presence of the type ^a.{i>FF)a in our system for arbitrary 
constructors F.) 



4 Monotone (Co-)Inductive Constructors are Monotone 



Monotone inductive and monotone coinductive constructors of rank 2 are con- 
structors fiFF and vFF having rank 1 . Therefore, we may ask whether they are 
in turn monotone (of rank 1) if XFF were monotone (of rank 2). This is answered 
in the affirmative, and consequently, e. g., va.{^FF)a is a proven monotone coin- 
ductive type if ^FF is a proven monotone inductive constructor. 



Theorem 1. There are closed terms M^pp : XFF voon^ ^FF mon and M^pp : 
XFF mon — >■ vFF mon . 
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This shows that criterion 3 in the list on page 602 is met (the construction is 
“canonical” since the monotonicity witness is not analyzed at all ~ it is merely 
fed in as an argument®). 

Proof. We argue slightly informally by assuming a term m : \FT mon and show- 
ing ^lFT T non and uFFthoti using m. We begin with the inductive constructor. 
Introduce fiFF's “positivization” Q := \ai(3.{a — >■ /3) — >■ {fiFF)(3. In order to 
prove monotonicity of ^FF, it suffices to show that fiFF < Q. Of course, this 
is done by proving that G gives rise to a AFlF-algebra. We have the canonical 
monotonicity witness n := AaAjXf’^^^ Xx^°"Al3Xy^^^ .x(3{Xv°‘ .y{fv)) : Qmon 
{a occurs only non-strictly positively in — >■ /3) — >■ {yFF)f3). Abbreviate 

i := AaXx^°" .xa{Xy°‘y) : Q < y,FT and 

s := AaXx^'^^'-^^^’^ AfiXr^^ .G^FTrn{rnRG{y.FT)l\-Tifi{jnLgnafifxy) 

which has type F[F := G] < G- The idea is: XFF is monotone, hence also 
F[F := G]. Therefore, a — >■ /3 implies F[F := G]c( F[F := G]P- Thus, 

mLGna[3fx : F[F := ^]/3. Since XFF is monotone and G < y^FF, we have 
F[F := G] < F[F := yFF], which is the type of mRG{yFF)£Ln. Consequently, 
the second argument to gets type F[F := yFF](i, hence the term starting 
with has type {yFF)p. Since xEf^ns has type Get, the proof is completed 
by AaApXf°"^^ Xx''^^^^°‘ .xE^nsfif : yFFmon. 

We turn to the coinductive constructor. ^ is a positivization of yFF which 
is less than or equal to yFF. Dually, we seek for a positivization of vFF which 
is greater than or equal to vFF.^^ Instead of taking Xf}3a.{a — >■ /3) x {vFF)a, 
we avoid the 3 type and set % := X(Ji^.{^a.{a — >■ /3) — >■ {vFF)a —>■ ^ 7- 

We will recycle the names n, £, s. Since PL is also non-strictly positive, it has a 
canonical mononicity witness 

n:= Aj3ASXf^^Xx'^>^AjXy'^°‘-^°‘^^'>^^''^^^°‘^^.xj{AaXu°‘^^.ya{Xv°‘.f{uv))) 

Set £ := : fFF < H and show 

that we have got a AF.7^-coalgebra by finding a term of type PL < F[F := PL]: 

s := ApXx'^>^.x{F[F := n]P){AaXr^^ 

where we used t := mLPLnaP f (mR{vFF)PL£Rna{zE,^m)^ : F[F := PL]p. (Note 

that zE„m has type F[F := vFF]a and that the idea for finding t is essentially 
the same as in the proof of yFF's monotonicity.) The proof is finished with 

: ^FFmon 

® Even XFF is only a parameter not to be analyzed: We could even provide an inhab- 
itant of mon (pF.XF) mon x {vF.XF) mon. 

The lattice-theoretic version of Q is called the lower monotonization of an operator 
in [10, p.83]. Its dual (the “upper monotonization” of an operator), when written 
in type theory, gives PL. Both play a central role in understanding inductive and 
coinductive types a la Mendler, see [11] for the definition, [15] for the explanation 
and [10] for applications to monotone inductive types. 
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which is again a bit weird due to the impredicative encoding of the existential 
quantifier. □ 

Notice that for the proofs it has been essential to be free to decide whether 
to provide monotonicity for the first or the second constructor argument when 
using monotonicity of \FT . In the proof, the other argument has always been 
that for which we tried to prove monotonicity! Obviously, one cannot require 
both arguments to be monotone and get the proof through. Neither can we 
dispense with monotonicity of the arguments altogether since we would not get, 
e. g., a witness for XFXa.F(Fa) mon and hence arrive at too narrow a concept. 
If we required monotonicity only of the first argument, then the rule of iteration 
would have to refer to the monotonicity of fiFF. Although our monotonicity 
proof would still go through, this considerably complex term would enormously 
blow up the terms during iteration (not to speak about the deviation from the 
wanted behaviour). On the contrary, if we required monotonicity only of the 
second argument, iteration would not have to be changed, but there would be 
no way to recover the proof of monotonicity for fxFF. Moreover, the situation 
for coiteration would always be the other way round, and it would hardly be 
acceptable if different notions of monotonicity were required for the treatment 
of inductive and coinductive constructors. 

The categorial perspective did not at all suggest our definition of monotonic- 
ity for rank 2. Categorially, one would consider the category of endofunctors (see 
[1] for a recent treatment of rank 2 in this framework) and would never speak 
about other entities whereas we also make requirements for non-monotone argu- 
ments. And, of course, monotonicity is only a part of functoriality, since “coher- 
ence” is not dealt with: functor laws cannot be expressed in our type system. 

5 MICC^ Embeds into System F‘^ 

It is well-known that iteration and coiteration may be encoded impredicatively, 
and that this can be done such that strong normalization of the system with 
iteration and coiteration can be inferred from that of the impredicative system, 
see e.g. [5,15]. This also worked easily for monotone inductive types [13,10]. 
Hence, it does not come as a surprise that MICC^ embeds into F“. 

Theorem 2. There is an embedding of MICC^ into F“, i. e., for every con- 
structor X of kind k in MICC^, there is a constructor X' of kind n in F“, and 
for every term r of type p in MICC^, there is a term r' of type p' in F“ such that 
whenever r \> s in MICC^, then r' s' in F“^ (every step in MICC^ is translated 
into at least one step in F“j. 

Proof. The definition is by iteration on constructors and by iteration on terms, 
respectively. We only consider the most interesting non-homomorphic clauses. 
Note that only (co-)inductive constructors are affected and that we therefore 
have {F < G)' = T' < Q' and (A mon)' = X' mon. It will also be clear that 
{X[X := y])' = X'[X := y'], {r[X := y])' = r'[X := y'] and {r[xP := s])' = 
r'[xP := s']. Define 
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{l^apY := \/a.{p' — >■ a) — >■ a 
(rE^s)' := r'a's' 

i^nap^ty := AaXxP' .X ^m' (pap)' a{Xz^^°'P^' .zax)t''^ 

{pFT)' := AaVJ^.Fmon T' < F ^ Fa 
(rE^ns)' := r'Q'n's' 

{Cf^Fj-rnty := AFXy^ '^°’^Xx^'^^ .xp' (m'R{pFFy F{AaXz^^^^^y‘^ .zFyx)Ryp'f^ 

We do not set {vap)' to 3a. (a — >■ p') x a but avoid the existential type by the 
following definitions: 

{vap)' := V/3.(Va.(a — >■ p') — >■ a — >■ /3) — >■ /3 
{Q^c^psty := .za's't’ 

(rEj,rn)' := r'(p[a := i^ap])' ^ylaAz“~*''’ Xz 2 -m' a{vap)' 

{Xx°‘Al3Xz'^°^-^°‘^p"^^°‘^^.zazix){ziZ2)) 
{vFT)' := AaV/3.(VF.Fmon F < F' ^ Fa ^ (3) ^ (3 
{C^Fj-nsty := .zG'n' s't' 

(rE^m)' := r'{F[F := vFF]py{AFXy^^°^Xz(-^' Xz^"' .m'RF{vFFy 
(^AaXx^^A!3Xz^^'^'^°'^'^^-^ .zFyz\x)\-yp'{zip' Z 2 ^ 

It is not too hard to check the translation of steps of MIC into those of F“. □ 

Corollary 1. System MICC^ is strongly normalizing, i. e., \> is well-founded. 

Proof. It is well-known that F‘^ is strongly normalizing ([7] only considered weak 
normalization although his proof method copes with strong normalization as 
well) and, certainly, strong normalization is inherited via embeddings. □ 

In this impredicative encoding, the previous section’s concern becomes irrel- 
evant since {pFF)' and {vFF)' are always monotone regardless of monotonicity 
of XFF. In some sense, a occurs only strictly positively in the kernel of {pFF)' 
and only non-strictly positively in the kernel of {vFF)' . In fact, it easily fol- 
lows from theorem 3 below that there are closed terms of type {pFF)' voon and 
of type {vFF)' mon. In the general lattice-theoretic situation (that of Tarski’s 
fixed-point theorem), this phenomenon also occurs: The pointwise infimum of 
all the pre-fixed-points of an operator on a lattice of monotone set-theoretic 
functions is automatically monotone. 

6 Extension by Primitive (Co-)Recnrsion 

System MICC^ may now easily be extended by the concept of primitive recursion 
which is extremely unlikely to have a reasonable embedding into system F“ [14] . 
We just have to add another elimination rule for pFF and a new /3-reduction 
rule of primitive recursion. We abbreviate F y. Q \= Xa.Fa x Qa. 

r : {pFF)p s : F\F := pFF x G] < G 

rE^s : Gp 
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For s : J^[F := x Q] <Q define f+s := .xE^ s : fxFF < Q. 

The /3-rule of primitive recursion for rank 2 is 

(C^F:rmt)E+s 

[> sp(^mR{p,FF){iiFF x Q){AaXx^^^^^°' .{x, s)ax))L{M^py^m)pt^ 

Notice that we no longer require G mon since we anyway have to refer to pFF's 
monotonicity as expressed by M^pp. 

The respective treatment for rank 1 in [10] is now obvious: 

r : pap s : p[a := pap x cr] — >■ ct 

-q: iu-E+) 

rEJis : a 

For s : p[a := ct] — >■ <t define .P+s := Xx^°‘f.xE^s : pap — >■ a. The /3-rule of 
primitive recursion of rank 1 is 

{Cf^apmt)E^s t> s{m{pap){pap x a){Xx^°‘^ .{x, s)x))t^ 

In [10] it is shown that this schema may be embedded into that of primitive recur- 
sion only for non-strictly positive inductive types. Also, this primitive recursion 
captures the intuitive notion of primitive recursion. In the rank 2 case, the au- 
thor has no knowlegde of interesting examples. On the contrary, its dualization 
to corecursion would be useful in defining substitution for non-wellfounded terms 
involving binding. For lack of space, the definition of corecursion of rank 2 is left 
out. 

7 Proven Monotone (Co-)Inductive Constructors 

There is a wealth of constructors having monotonicity witnesses. Below a list of 
closure properties will be given. It turns out, however, that this wealth cannot 
be grasped without the companion notion of anti-monotonicity. Somewhat sur- 
prising, we only need it for rank 1. Set Fmon~ := Vq;V/3.(q; — >■ /3) — >■ lF/3 — >■ Fa. 
Aiming at a concise description, let p always range over the set of polarities 

{-k, — }, set := + and — h := — and F mon“'" := F mon. Hence F monP and 

.7^mon“P are always types. 

Theorem 3. There are closed terms of the following types: 

1. AapmonP if a does not occur free in p 

2. Aaamon+ 

3. AapmonP — >■ AaamonP — >■ Xa.p x amonP 
4-. AapmonP — >■ AaamonP — >■ Xa.p F amonP 

5. Aapmon^P — >■ AacrmonP — >■ Xa.p — >■ crmonP 

6. {p — >■ AacrmonP) — >■ Xa.p — >■ cr monP if a does not occur free in p 
1 . (VX'^.AapmonP) — >• AaVA'^pmonP 

8. (Va.A 7 pmon+) — >■ (Vy.AapmonP) — >■ Xap’^pmoxF 
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9. (Vo;.A7pmon+) — >■ (V7.AapmonP) — >■ Xah’jpmon'^ 

10. XFXapmon — >■ Ao;pmon+ if F does not occur free in Xap 

11. Ai^^mon — >• (VF.i^mon — >• V7(Aa.^7mon)) — >• Xa.{pFT)am.oxF^ 

12. Ai^^mon — >• (VF.i^mon — >• V7(Aa.^7mon)) — >• Xa.{vFT)am.oxF' 

13. Aapmon+ — >■ AJ^Aapmon if F does not occur free in Xap 

14 . XFF mon 

15. XFF mon — >■ XFQ mon — >■ XF.F x Q mon 

16. XFF mon — >• XFQ mon — >■ XF.F + Q mon with F + Q := Xa.Fa + Qa 

17. (yF.XGF thovl) — >• (fj G .XF F mon) — >• XF pGF mon 

18. (yF.XGF mon) — >• (fJG.XFF mon) — >• XFvGF mon 

19. XFF mon — >• XFQ mon — >■ XFXa.F{Qa) mon 

An informal claim is the “canonicity” of all those proofs as long as their goal 
does not degenerate to be covered by 1 or 13 

Proof. The first 9 properties are quite common since they (except for number 6) 
form the basis of the definition of canonical monotonicity witnesses for positive 
inductive and coinductive types (see e. g. [9, 8, 5, 10]). 

Rules 11 and 12 are proved by first establishing \/j{Xa.{pFF)j mon) and 
yj{Xa.{h'FF)jmon), using the assumptions. For this to work, one has to make 
use of theorem 1. 

The other rules are more or less adaptations of those for rank 1 to rank 2. 
The interesting new case is 19. We assume mi : AA.7^mon, m2 : AAf/mon 
and show XFXa.F{Qa) mon. Clearly, the proof will be a pair. Its first component 
having type WF.F mon — >■ Xa.F{Qa) mon is 

AFXx^ “™ylayl/3A/“^^ .mi lFx{Qa){Q(3) (m2 LFxaPf) 

We abbreviate F' := F[F := G] and Q' := Q[F := G\. Then the second compo- 
nent is given by AFylGAa;^-®.(A7/^™°"Aa.ti, Ay‘^“°"Aa.t2) with t\ and ^2 of 
type F{Qa) — >■ F'{Q'a), defined by 

■- Xz^‘'^°‘\miRFGx\-y{Q'a)(mi\-Fy{Qa){Q'a){m2RFGx\-ya)z^ 

t 2 := Xz^^^°^'>.milGy{Qa){Q'a){m 2 RFGxRya){miRFGxRy{Qa)z) 

Their ideas are as follows: In ti we first show Qa — >■ Q'a, then lift this to 
F{Qa) — >■ F{Q'a). We compose this with F{Q'a) F'{Q'a). In this case, 
F' mon is not available. In ^2, we show F)Qa) — >■ F'^Qa), then we lift Qa — >■ Q' a 
to F')Q(x) — >■ F'iQ'a) and finally compose. Here, iFmon is not available. This 
shows that although two different strategies for proving F(fQa) F' {Q' a) exist, 

we have no choice when producing t\ and ^2- C 

This could be formulated slightly better by referring to universally quantified types 
such as VAb^*)^*^*Vy(*^*>^*^*.Xmon Tmon XFXa.XFiY Fa)mon in- 

stead of 19. 
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8 Examples and Future Work 

We start with an example not to be found from theorem 3 alone: There is a 
witness for AFA/3. ^Aa.(((o! — >■ 7 ) — >■ a) — >■ a) — >■ (F(i^/3)) mon. This follows 

from theorem 3 as soon as we give a monotonicity witness for the constructor 
Aa.(((o; — >■ 7 ) — >■ a) — >■ a) — >■ Of, proposed by U. Berger as the first example of a 
non-positive and monotone constructor of rank 1: The last but one occurrence 
of a is at a negative position. Nevertheless, it is not hard to find a monotonicity 
witness. For the examples to follow, set 0 := fxaa and 1 := vaa which are proven 
monotone. 

Untyped A-calculus may be represented with de Bruijn indices, and this 
can be reflected in the constructor := ^FXa.a + F{1 -|- a) -|- {Fa x Fa). 
T p would be the type of untyped A-terms having free variables taken from p. 
Clearly, theorem 3 implies that .7^ is a proven monotone inductive construc- 
tor. By iteration on T, substitution can be defined. The result is the same as 
that of the structurally inductive approach in [2]. The representation is also 
studied in [3] but with the concept of generalized folds. [3] also exhibits a varia- 
tion, called an “extension of de Bruijn’s notation”, which in our notation reads 
pFXa.a + F{1 + Fa) + {Fa x Fa). No doubt, theorem 3 shows that this is a 
proven monotone inductive constructor. Note the nesting of F which clearly re- 
quires the relativization to monotone F in the definition of rank 2 monotonicity. 
Again, substitution can be easily defined by rank 2 iteration. Another proven 
monotone variation would be p,FXa.a + F{l + a) + {Fa x Fa) + {{Fa — >■ 0) — >■ 0) 
which would add a kind of continuation terms to the untyped A-calculus. 

As an example of the main result in [ 1 ], functional programs for the compu- 
tation of the isomorphisms between {p,a.l + ax a) — >■ cr and {vFXa.a x F{Fa))a 
are given. Obviously, both p,a.l -I- a x a and vFXa.a x F{Fa) are proven mono- 
tone by theorem 3. By iteration and coiteration, the “isomorphisms” can be 
established and have as reduction behaviour that described in the program in 
[1] which is based on pattern-matching. While [1] establishes that those are 
in fact isomorphisms w.r.t. semantic equality we cannot expect such a result 
for our intensional setting. However, since MICC^ is strongly normalizing, those 
functional programs are guaranteed to terminate. 

Notice that these examples did not use the possibility of interleaved p, and i'. 
However, the author still does not know useful examples for rank 2 using inter- 
leaving. 

Open questions: We are still in need of a good notion of positivity for rank 2. 
Can we expect monotonicity witnesses for positive constructors to be “unique”? 
It would be interesting to study course-of-value iteration for rank 2 or the ex- 
tension of other concepts in [15] to rank 2. The relation to [3]’s generalized folds 
should be studied carefully. Can their behaviour be simulated in MICC^? This 
is easy to see in the situation of [3] but not for the general approach to general- 
ized folds [4] . Can one And data structures which need deeper nested inductive 
constructors than the example of square matrices in [12]? Is there a chance to 
get a similar clean view on constructors of higher rank than 2 ? 
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